authorization code is sent to a client as the first step in an Authorization Code Grant. When the client receives the authorization code, it calls the Login with Amazon authorization service
with the code, their client identifier
and client secret
The authorization code is useless by itself, and therefore any malware that intercepts the authorization code cannot impersonate the client to gain an access token.