How access token is not exposed on the client side?

At official documentation Which OAuth 2.0 Flow Should I Use? in part Is the Client a Single-Page App there is:

If the Client is a Single-Page App (SPA), an application running in a browser using a scripting language like JavaScript, there are two grant options: the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and the Implicit Flow with Form Post. For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side.

I’m not sure that I misunderstood something, but when using SPA with this flow how the token is not exposed on the client side?

Hi there @canyon ,

The language is used rather to showcase that:

with the implicit flow: token received resides in the part of the URL
vs
with the PKCE: You will not find the actual token in the URL.

This is how I see the difference. :slight_smile:

I think that this can be missunderstood when reading documentation.

Regardless whether the token is part of URL or part of the request body it is accessible from the request which expose the access token on the client side.