Because regular web apps are server-side apps where the source code is not publicly exposed, Authorization Code Flow can be used, which exchanges an Authorization Code for a token. OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE).

Step 1: Generate a code_challenge. (Call this endpoint as a first step).
Step 2: Exchange the code_challenge & code_verifier for an access_token (Call /access_token/<string:code_verifier>/<string:code_challenge>).