{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Choose the Right Authentication Flow","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"choose-the-right-authentication-flow","__idx":0},"children":["Choose the Right Authentication Flow"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authentication is handled based on four distinct personas. The persona determines which OAuth 2.0 flow you must use:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User"]},": An eGain agent or user. Uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Code flow"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PKCE"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer"]},": A logged-in end-user. Uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Code flow"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PKCE"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Anonymous Customer"]},": A non-logged-in end-user. Uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Credentials flow"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client App"]},": The application itself (server-to-server). Uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Credentials"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["On-Behalf-Of flow"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["External Identity"]},": Users authenticated via third-party services (Okta, Azure). Uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Token Exchange Flow"]},"."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Important: Matching Flows to Scopes"]}," ","To avoid authorization errors, your flow must match the persona:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Credentials:"]}," Use for ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application scopes"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User/Customer Flows:"]}," Use for ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delegated scopes"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["On-Behalf-Of (OBO):"]}," A hybrid flow for ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OBO delegated scopes"]},"."]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Next Steps:"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Choose a specific flow based on your persona:",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/auth-code-flow"},"children":["Auth Code"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/pkce-flow"},"children":["PKCE"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/client-credentials-flow"},"children":["Client Credentials"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/on-behalf-of-flow"},"children":["On-Behalf-Of"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/token-exchange-flow"},"children":["Token Exchange"]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/developer-portal/guides/authentication/making-requests"},"children":["Make Authenticated Requests"]}]}]}]},"headings":[{"value":"Choose the Right Authentication Flow","id":"choose-the-right-authentication-flow","depth":1}],"frontmatter":{"seo":{"title":"Choose the Right Authentication Flow"}},"lastModified":"2026-05-01T21:13:42.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/developer-portal/guides/authentication/flow_overview","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}