I have an Angular App as a front-end client and a Rails back-end API. I'd like to access Asana's API and and would like to authorise it via the Angular App, so I'm following their OAuth process called Implicit Grant Flow.

After the authorisation process I get a access_token but when trying to use this code on Postman (in order to test the API call I'll implement on the back-end) I get an 401, not authorised code.

Is there a way I could get the user to authorise via the Angular and then exchange this access_token for a permanent to token/code to make subsequent calls on the backend?

If not, do I need to get the user to authorise this every time I need to access the API?

EDIT

Here's the screenshot of my attempts to use the access_token with Postman:

NOTE I've tried the above on Postman minutes after I had authorised the the app, so I'd imagine the token would be valid still.

I'd guess that the access_token expires before you get around to testing it. Access tokens are meant to be short-lived (Asana access tokens currently expire after one hour). If this is not the case could you please post the request you are making with Postman (with secrets redacted)?

If you want longer-lived authorizations, you should use the authorization code grant to get a refresh token instead of an access token. You can then exchange the refresh token for temporary access tokens when you need to access the API (the Asana client libraries handle this implicitly).