Other grants (client-credentials, implicit) & PKCE status
このコンテンツはまだ日本語訳がありません。
Status
Stable· Last verified 2026-07-11 · APIv10· Source OAuth2
The authorization-code flow covers almost every app. Discord also documents two other grants, and it’s worth knowing what is — and isn’t — supported.
Client-credentials grant
Section titled “Client-credentials grant”For getting a bearer token for your own app, with no user involved.
[!NOTE] Verified Documented as “a quick and easy way for bot developers to get their own bearer tokens for testing purposes.” Source: OAuth2.
POST https://discord.com/api/oauth2/tokenAuthorization: Basic base64(client_id:client_secret)Content-Type: application/x-www-form-urlencoded
grant_type=client_credentialsscope=identify connections # optional, space-separated- Authenticates with HTTP Basic auth (client id as username, secret as password).
- Returns an access token scoped to the app owner. Use it for testing and owner-scoped calls — not as a substitute for the bot token or a user login.
Implicit grant
Section titled “Implicit grant”A browser-only flow that returns the token directly in the redirect fragment.
[!CAUTION] Verified — documented but discouraged The implicit grant (
response_type=token) is “a simplified flow optimized for in-browser clients.” Discord warns the “access token is returned in the URI fragment, which makes it possibly exposed to unauthorized parties,” and you are not returned a refresh token. Prefer the authorization-code flow with a server-side exchange. Source: OAuth2.
PKCE — not documented
Section titled “PKCE — not documented”[!WARNING] Verified absence (2026-07-11) As of this verification, Discord’s OAuth2 documentation does not describe PKCE (
code_challenge/code_challenge_method). We therefore do not claim PKCE support. If you need a public-client flow, keep the code exchange server-side (authorization-code flow) so theclient_secretnever reaches the client. Re-check the OAuth2 docs before relying on PKCE; tracked in the backlog.
Which grant to use
Section titled “Which grant to use”| Need | Grant |
|---|---|
| Log a user in / act for a user | Authorization-code |
| A token for your own app (testing/owner) | Client-credentials |
| Browser-only, no server | Implicit — but prefer auth-code with a tiny server |
| Public client without a secret | Not via PKCE (undocumented) — use a server-side exchange |