The authorization code flow is used by server-side applications. It uses the secret key, which must be secured client side, and requires interactive user authorization. The refresh token can have a longer expiration and be used to generate a new access token after one expires.