You’re using response_type=token in the authorization endpoint request which signals you’re performing an implicit grant where the issued response will be delivered to the client-side components of your web application (by default this is achieved by including the response in the fragment component of the redirect URL).
The above is useful for browser-based application (SPA’s) where the application logic is on the client-side and as such the tokens need to be available there.
If you have a more traditional web application where the issued tokens will be used from the server-side and not from the client-side then you should be using an authorization code grant by configuring response_type=code. This, by default, will trigger the response to be included in the query component of the redirect URL and as such available to the server-side. Have in mind that in this mode you’ll need to perform an additional request to actually obtain the tokens. See the following documentation for more information: Authorization Code Flow