Mobile & Desktop apps - Authorization Code Grant (PKCE)

In order to access the Aventus Platform API from a mobile app, you’ll need to implement the Authorization Code using Proof Key for Code Exchange (PKCE) OAuth2 flow.

This authorization flow is a two-step process,

  • Request an authorization code
  • Exchange the authorization code for an access token

1. Generate a code_verifier

A code_verifier is a randomly generated token of 128 bytes that is Base64 URL encoded

2. Generate a code_challenge

The only code challenge method supported by the Aventus Platform is S256.

2.1 Generate a SHA256 hash of the code_verifier

2.2 Base64 URL Encode the sha256 hash from the previous step

3. Authorize the user

Redirect the user to the /authorize endpoint. The user will authenticate and grant your application access for the requested scopes

Request Parameters

audienceThe API you are requesting access for (API Base URL)
scopeThe scopes that you want to request authorization for. Each scope must be separated by a space.
client_idYour application’s Client ID (provided by Aventus when you registered your application)
stateA randomly generated unique value included in the request that is also returned in the token response, this is used to prevent cross-site request forgery attacks.
redirect_uriThe redirect_uri of your application, where authentication responses will be sent to.

The redirect uri must exactly match one of the callback URLs provided when registering your application
code_challengeThe code_challenge generated in step 2

The only code challenge method supported by the Aventus Platform is S256


At this point, the user is asked to enter their credentials and consent to the permissions (scopes) requested by your application. After the user has grants consent to your application, Aventus sends a response to the redirect_uri with an authorization_code in the query string.

codeThe authorization code that your application requested. Your application can use this authorization code to request an access token for the API.
stateThe state parameter sent in the response should be the same value sent in the request. It is good practice to verify that the state values in the request and response are identical.

4. Exchange the authorization code for an access token

Using the authorization code (code) from the previous step, send a POST request to the /token endpoint

using (var client = new HttpClient())
  client.BaseAddress = new Uri("");
  var bodyContent = new StringContent(@"{""grant_type"":""authorization_code"",""client_id"":""YOUR_CLIENT_ID"",""code_verifier"":""YOUR_GENERATED_CODE_VERIFIER"",""code"":""YOUR_AUTHORIZATION_CODE"",""redirect_uri"":""YOUR_CALLBACK_URL""}", Encoding.UTF8, "application/json");
  var response = await client.PostAsync("oauth/token", bodyContent);

Request Parameters

client_idYour application’s Client ID (provided by Aventus when you registered your application)
code_verifierThe random key generated in step 1 that was used to generate the code_challenge
codeThe authorization code that you received in step 3
redirect_uriThe redirect URL sent in the /authorize request in step 3. It must be identical to what was sent in the /authorize request.


access_tokenThe requested access token as a signed JSON Web Token (JWT). Your application can use this token to access the Aventus Platform API.
token_typeIndicates the token type. The only token type supported by the Aventus Platform is Bearer
expires_inHow long the access token is valid (in seconds)

Error Response

errorOAuth error code
error_descriptionDescription of the error