Common grants
- Authorization Code + PKCE: browsers and native apps.
- Client Credentials: service‑to‑service.
- Refresh Token: long‑lived sessions for first‑party apps.
Client Credentials — try it
curl -X POST http://localhost:3000/oauth/token \
-d 'grant_type=client_credentials' -u 'demo-client:demo-secret'Protected API using access token
curl http://localhost:3000/api/profile -H "Authorization: Bearer <access_token>"