Olympus Docs
ReferenceGrants

OAuth2 grant types

Every OAuth2 grant type, supported and unsupported

Olympus supports four OAuth2 grant types and explicitly rejects two deprecated ones.

Supported

GrantRFCWhen to use
Authorization CodeRFC 6749 §4.1Server-side web apps that can keep a secret.
Authorization Code + PKCERFC 7636Public clients (SPAs, mobile, CLIs). Mandatory in Olympus.
Client CredentialsRFC 6749 §4.4Backend-to-backend (M2M). No user involved.
Refresh TokenRFC 6749 §6Renewing access tokens without re-authenticating the user.

Not supported (deprecated)

GrantRFCWhy
ImplicitRFC 6749 §4.2 (deprecated)Never. Removed in OAuth 2.1. Use PKCE instead.
Resource Owner Password CredentialsRFC 6749 §4.3 (deprecated)Never. Removed in OAuth 2.1. Use Authorization Code instead.

See Integrate, OAuth2 overview for picking the right grant.

admin

Example custom scope, admin operations.

Authorization Code

User redirects to Hydra → authenticates via Hera/Kratos → returns to app with one-time code → app exchanges code for tokens.

On this page

SupportedNot supported (deprecated)