Hi @zhartaunik,
This all depends on the grant type, and it sounds like you are using the authorization code flow (typically for regular web apps). If that is the case, you have it correct!
For more info:
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant
If you would like to see an example check out our quickstarts:
Let me know if that makes sense.
Thanks,
Dan