Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Athena API Authentication Athena API Errors Athena API Pagination Athena Settings API SDK Settings API

Environment variables

OAuth2 grant types Authorization Code Authorization Code + PKCE Client Credentials Refresh Token Implicit Resource Owner Password Credentials

ReferenceGrants

Implicit

Returned tokens directly in the authorization URL fragment. Insecure (token in URL, browser history, referrer).

Implicit

Spec: RFC 6749 §4.2 (deprecated)

Supported in Olympus: No (deprecated; do not use)

When to use

Never. Removed in OAuth 2.1. Use PKCE instead.

How it works

Returned tokens directly in the authorization URL fragment. Insecure (token in URL, browser history, referrer).

Why not

This grant is deprecated and removed in OAuth 2.1. Olympus rejects it. The replacement is Authorization Code + PKCE.

Related

Integrate, OAuth2 overview
Security, PKCE enforcement

Refresh Token

Client exchanges refresh token for a new access token (and a new refresh token, Hydra rotates).

Resource Owner Password Credentials

Client collected the user's password and POSTed directly to the token endpoint. The user's password is in your app, defeats the point of OAuth2 delegation.

On this page

Implicit When to use How it works Why not Related