> ## Documentation Index > Fetch the complete documentation index at: https://auth0-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Authorize > Initiate the OAuth 2.0 Implicit Flow to obtain tokens directly from the authorization endpoint. ## Endpoint `GET /authorize` This is the OAuth 2.0 grant that web apps utilize in order to access an API. ### Responses #### 302 A successful request will redirect the user to the specified callback URL with the access token. ```text theme={null} HTTP/1.1 302 Found Location: ${account.callback}#access_token=TOKEN&state=STATE&token_type=TYPE&expires_in=SECONDS ``` ### Remarks * The `redirect_uri` value must be specified as a valid callback URL under your [Application's Settings](https://manage.auth0.com/dashboard). * If `response_type=token`, after the user authenticates with the provider, this will redirect them to your application callback URL while passing the `access_token` in the address `location.hash`. This is used for Single-Page Apps and on Native Mobile SDKs. * The Implicit Grant does not support the issuance of Refresh Tokens. Use [Silent Authentication](https://auth0.com/docs/authenticate/login/configure-silent-authentication) instead. * In order to improve compatibility for applications, Auth0 will now return profile information in a [structured claim format as defined by the OIDC specification](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). This means that in order to add custom claims to ID tokens or Access Tokens, they must [conform to a namespaced format](https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims) to avoid possible collisions with standard OIDC claims. * Silent Authentication lets you perform an authentication flow where Auth0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user's Single Sign-on (SSO) session has not expired. ### Learn More * [Implicit Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) * [State Parameter](https://auth0.com/docs/secure/attack-protection/state-parameters) * [Mitigate replay attacks when using the Implicit Grant](https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow) * [Silent Authentication](https://auth0.com/docs/authenticate/login/configure-silent-authentication) ## Query Parameters The unique identifier of the target API you want to access. The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`. The scopes which you want to request authorization for. These must be separated by a space. This will specify the type of token you will receive at the end of the flow. Use `token` to get only an Access Token, `id_token` to get only an ID token, or `id_token token` to get both. Allowed values: `token`, `id_token`, `id_token token` Your application's ID. An opaque value to prevent CSRF attacks. The URL to which Auth0 will redirect the browser after authorization. A string value included in the ID token response to prevent token replay attacks. The name of the connection configured for your application. To initiate a silent authentication request, use `prompt=none`. ID of the organization to use when authenticating a user. Ticket ID of the organization invitation. ## Response Messages | Status | Description | | ------ | -------------------------------------------------------------- | | 302 | Redirects to the specified callback URL with the access token. |