Which OAuth 2.0 grant works best for me?

A grant is a method to acquire an access token. To decide the implementation of a grant, you need to consider the type of client end-user will be using and the end-user experience.

OpenID Connect supports the following authentication flows:

Use Case Trustworthiness Suggested OAuth 2.0 Authorization Grant_type
Publicly available apps (apaleo store apps) - Most secure grant type.
- If the client is a web app that has a server-side component, then you should implement the authorization code grant.
- If you can use server-side scripting, then use this grant.
Authorization code grant
Private apps (custom project for one hotel) - Highly trusted applications, written by internal developers or developers with a trusted business relationship with the user.
- All parties trust each other and no external resources are involved.
- Usually used for machine-to-machine authorization.
- Applications that need to access resources on their own behalf.
Client credentials grant

Implementing OAuth in your applications

The following topics describe how to generate OAuth access tokens using each of the two grant flows: