# Choose the Right Authentication Flow

Authentication is handled based on four distinct personas. The persona determines which OAuth 2.0 flow you must use:

* **User**: An eGain agent or user. Uses **Authorization Code flow** or **PKCE**.
* **Customer**: A logged-in end-user. Uses **Authorization Code flow** or **PKCE**.
* **Anonymous Customer**: A non-logged-in end-user. Uses **Client Credentials flow**.
* **Client App**: The application itself (server-to-server). Uses **Client Credentials** or **On-Behalf-Of flow**.
* **External Identity**: Users authenticated via third-party services (Okta, Azure). Uses **Token Exchange Flow**.


**Important: Matching Flows to Scopes**
To avoid authorization errors, your flow must match the persona:

* **Client Credentials:** Use for **Application scopes**.
* **User/Customer Flows:** Use for **Delegated scopes**.
* **On-Behalf-Of (OBO):** A hybrid flow for **OBO delegated scopes**.


**Next Steps:**

- Choose a specific flow based on your persona:
  - [Auth Code](/developer-portal/guides/authentication/auth-code-flow)
  - [PKCE](/developer-portal/guides/authentication/pkce-flow)
  - [Client Credentials](/developer-portal/guides/authentication/client-credentials-flow)
  - [On-Behalf-Of](/developer-portal/guides/authentication/on-behalf-of-flow)
  - [Token Exchange](/developer-portal/guides/authentication/token-exchange-flow)
- [Make Authenticated Requests](/developer-portal/guides/authentication/making-requests)