# OAuth 2.1 Concepts

MyInfo APIs use [OAuth2.1](https://oauth.net/2.1/) - Authorization code flow to perform authentication & authorization; it allows mobile and web clients to obtain tokens securely.

The code flow comprises 2 main parts:

1. Authorization flow that runs in the browser
2. Token flow that is a server-to-server call

***

## 1. Authorization Flow

<figure><img src="https://1982108655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk67iNluSpweCPqhbIY5t%2Fuploads%2FqGSFvfW10qoD9SuBAmRS%2Fimage.png?alt=media&#x26;token=14eb42ae-4664-444b-9858-00e914b8bcfe" alt=""><figcaption></figcaption></figure>

1. Browser redirects to the /authorize endpoint of the AuthZ server.
2. The AuthZ server redirects to the Singpass, the AuthN server.
3. The User authenticates and redirects back to the AuthZ server.
4. The AuthZ server redirects to the consent page for user consent.&#x20;
5. The User consents.
6. The AuthZ server redirects back to the client application callback URL with a one-time token called Authorization Code(authcode)

## 2. Token Flow

<figure><img src="https://1982108655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk67iNluSpweCPqhbIY5t%2Fuploads%2FokMF84Zq5czeOEfF1I05%2Fimage.png?alt=media&#x26;token=3d24a0fc-a7ab-49b0-a13d-c5134b95566c" alt=""><figcaption></figcaption></figure>

1. The client application makes a post request to the /token API endpoint with the Authorization code (authcode) and client\_assertion.
2. The AuthZ Server validates the authcode and client\_assertion before issuing the access\_token.

<br>