Server-side (confidential) clients

When you have a trusted server (Node, .NET, PHP, etc.), perform the token exchange there so the client secret never reaches the browser.

This is the right model for custom OAuth code integrations. The React SDK and plain JS paths (popup / script integration) are separate—see Intastellar Sign-In — React SDK and plain JavaScript.

Sequence

Browser completes the redirect flow and lands on your callback with code and state.
Your callback route verifies state, then calls your backend (or runs server-side in the same request) to exchange the code.
Backend POSTs to TOKEN_ENDPOINT with grant_type=authorization_code, code, redirect_uri, client_id, and client_secret.
Backend creates a session for the user (set cookie, store tokens server-side).
Browser is redirected to the app with only your session cookie.

Example (conceptual)

POST TOKEN_ENDPOINT
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=https%3A%2F%2Fapp.example.com%2Fauth%2Fcallback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Add PKCE parameters if this client is configured as hybrid or if the authorization step used PKCE.

Secret storage

Load client_secret from environment variables or a secret manager.
Rotate secrets if exposed; use separate credentials per environment.

Logout, errors, and troubleshooting.

Last updated Oct 20, 2018

Sequence

Example (conceptual)

Secret storage

Next