OAuth authorization code flow security question (authorization code intercepted by a hacker)

Question

Something I can't wrap my head around. As I understand the authorization code flow is supposed to be more secured than the implicit flow, because the tokens are not directly sent to the client from the authorization server, but rather retrieved by your backend. So the flow is basically:

1. Browser gets the authorization code (as a URL parameter of sort).
2. Sends it to a public backend endpoint.
3. The backend sends the code + client secret to the authorization server, retrieves the tokens and stores them in the client's cookie/local storage for further use.

In this flow all the tutorials describe the authorization code as useless to the hacker, why is that? Can't a hacker use Postman or some other client and access your (public) API directly, make it go through step 3 and thus retrieve the tokens just the same?

What am I missing here?

Answer 1

The code is used exactly once. In many scenarios that an attacker might get access to the code, it's already been exchanged for an access token and therefore useless.

The authorization_code is a one-time token.