A web server token granting flow begins with a client making an authorization request to an authorization server, which authenticates the client and redirects it back to the web server with an authorization code. The web server then requests an access token from the authorization server's token endpoint by including the authorization code, and upon validating the code, the authorization server returns an access token to the web server to call the resource owner's API on behalf of the client.