This documentation is for WSO2 API Manager 2.1.0. View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changes Implicit grant image to have an attachment in oppose to web url

Image Removed

Implicit grant type is recommended used to use to obtain access tokens  if if your application (client) is a mobile application or a browser based app such as a JavaScript client.  Like in Authorization code Grant, implicit Grant Similar to authorization code grant, the implicit grant type is also based in on redirection flow but the . The redirection URI includes the access token in the URI fragment. Because of thatTherefore, the client application is capable of interacting with the resource owner user agent to obtain the access token from the redirection URI which is sent from the authorization server.

The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with is authenticated by the authorization server to obtain the access token. Because the The access token is encoded into the redirection URI, it . This may be exposed to the resource owner and other applications residing in inside the same device.

The diagram below depicts the flow of Implicit Grant.

Image RemovedImage Added

  1. The client requests for the access token with the client ID and grant type with , and other optional parameters.

  2. Since the resource owner authenticates directly with the authorization server, his/her their credentials will not be shared with the client.

  3. The Authorization Server sends the Access access token in through a URI fragment to the client.

  4. Client extract The client extracts the token from the fragment and send sends the API request to the Resource Server with the access token.


With this grant, the The refresh token will not be issued for the client with this grant, as the client type is public. Also note that , the implicit Implicit grant does not include client authentication because it does not make use of the client secret of the application

The following parameters are required to implement the Implicit grant type in WSO2 API Manager.

NameDescriptionSample value

The OAuth scope you are requesting for the particular token

response_typeThe required response formatid_token

The URL of the Oauth application requesting for the token

nonceAny random value13e2312637dg136e1
client_idClient ID of the OAuth applicationmzdQQ0RZOIqAf549ucIImB4h0SIa

An example is given below : 

Code Block

Invoking the Token API to generate tokens  

In his this example we are using use the WSO2 Playground, which is hosted as a web application, to obtain the access token with implicit grant.

titleBefore you begin,

The following instructions use the sample playground webapp. See For instructions on how to set up the sample webapp, see Setting up the Sample Webapp and follow the steps to setup the sample webapp.

  1. Login to WSO2 API Manager Store and create an application as shown below.
    Image RemovedImage Added
  2. Go to


    the Production keys tab


    for the




    . Add http://localhost:8080/playground2/oauth2client as the

    callback URL,  select implicit from the Grant Types

     Callback URL. Select Implicit from the list of grant types and click Generate Keys

    Image Removed

    The Implicit grant and Code grant type checkboxes are disabled by default in the UI. To enable selecting the checkboxes, enter the Callback URL for the application.

    Image Added

  3. Go to playground app http://wso2is.local:8080/playground2/index.jsp and click click import photos.
    Image RemovedImage Added
  4. Give the information in the table below and click Authorize.

    FieldSample Value
    Authorization Grant Type
    Authorization Code
    Client IdConsumer Key obtained for your application
    ScopeThe scope you have selected for you application
    Callback URLThe callback URL of your application
    Authorize Endpointhttps://localhost:

    Image RemovedImage Added

  5. The playground application redirects to the login page. Enter you username and password and click Sign In.

  6. Click Approve to provide access to your information.

    Image Added

  7. You will receive the access token as follows 

    access-token.pngImage Added


For users to be counted in the Registered Users for Application statistics, which takes the number of users shared each of the Application, they have to generate access tokens using Password Grant type.