Skip to content

Other grants (client-credentials, implicit) & PKCE status

Status Stable · Last verified 2026-07-11 · API v10 · Source OAuth2

The authorization-code flow covers almost every app. Discord also documents two other grants, and it’s worth knowing what is — and isn’t — supported.

For getting a bearer token for your own app, with no user involved.

[!NOTE] Verified Documented as “a quick and easy way for bot developers to get their own bearer tokens for testing purposes.” Source: OAuth2.

POST https://discord.com/api/oauth2/token
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
scope=identify connections # optional, space-separated
  • Authenticates with HTTP Basic auth (client id as username, secret as password).
  • Returns an access token scoped to the app owner. Use it for testing and owner-scoped calls — not as a substitute for the bot token or a user login.

A browser-only flow that returns the token directly in the redirect fragment.

[!CAUTION] Verified — documented but discouraged The implicit grant (response_type=token) is “a simplified flow optimized for in-browser clients.” Discord warns the “access token is returned in the URI fragment, which makes it possibly exposed to unauthorized parties,” and you are not returned a refresh token. Prefer the authorization-code flow with a server-side exchange. Source: OAuth2.

[!WARNING] Verified absence (2026-07-11) As of this verification, Discord’s OAuth2 documentation does not describe PKCE (code_challenge / code_challenge_method). We therefore do not claim PKCE support. If you need a public-client flow, keep the code exchange server-side (authorization-code flow) so the client_secret never reaches the client. Re-check the OAuth2 docs before relying on PKCE; tracked in the backlog.

Need Grant
Log a user in / act for a user Authorization-code
A token for your own app (testing/owner) Client-credentials
Browser-only, no server Implicit — but prefer auth-code with a tiny server
Public client without a secret Not via PKCE (undocumented) — use a server-side exchange