What is OAuth 2.0 Flows? — UK Software Development Guide

4 min readJune 2025ClickMasters Technical TeamReviewed by James Whitmore, CTO
what are oauth 2.0 flows

Direct Answer

OAuth 2.0 defines several authorisation "flows" for different use cases: Authorisation Code Flow (for web apps — user redirected to authorisation server, code exchanged for tokens), Authorisation Code with PKCE (for SPAs and mobile apps — adds Proof Key for Code Exchange security extension), Client Credentials Flow (for machine-to-machine communication — no user involved), and Device Authorisation Flow (for input-limited devices).

Oauth-flows in the UK

UK government APIs predominantly use Authorisation Code with PKCE: HMRC MTD OAuth 2.0 requires PKCE, NHS Login uses OIDC (which builds on OAuth 2.0 Authorisation Code + PKCE), and GOV.UK Verify used OAuth 2.0 before being replaced by NHS Login. The GDS API design guide recommends Authorisation Code with PKCE for all user-delegated OAuth 2.0 flows in government services. Client Credentials is used for machine-to-machine government API access (Companies House API, for example).

Get Expert Advice on Oauth-flows

Speak with our UK software development experts about Oauth-flows. Free consultation, transparent pricing, no obligation.