Authorization code grant type for protecting REST API

When a REST API is protected with an authorization code flow, how does a client program get an authorization code and send it to the API for verification? The client program can get a session token using username and password. It also can use the session token and client id to get an authorization token. However, the authorization code will be sent to the redirect_uri, which is the REST API URL. So, the client cannot get the authorization code. How does it work?

Hello. Your redirect URI should be an endpoint in your application that is coded to handle the authorization code sent by Okta. If it’s a front-end application then you will need to use the PKCE flow to send that auth code back to Okta (/token endpoint) in exchange for tokens. If you are using a backend server, then you will send that auth code back to Okta (/token endpoint) along with your client secret in exchange for tokens.

The access token that Okta returns in the flows mentioned above is what you will use for API access management. Check out some of the links below for more information on this flow:

Auth code flow with client secret
Auth code flow with PKCE
Validating access tokens

I hope this helps.