1. The web server redirects the user to Salesforce to authenticate and authorize the server to access the data on the user’s behalf.
2. After the user approves access, the web server receives a callback with an authorization code.
3. After obtaining the authorization code, the web server passes back the authorization code to get a token response.
4. After validating the authorization code, Salesforce passes back a token response. If there’s no error, the token response includes an access code and additional information.
5. After the token is granted, the web server accesses the user’s data.