It’s OAuth 2.0 auth code flow in both cases. Normally the client returns an auth code via query params to the server, and the server exchanges the auth code for an access token using the client secret. When you use the JS SDK it’s instead the client that handles this process. Instead of using client secret it’s done with PKCE, and the server will only have to validate the token signature.
This might give you an idea how it works in JS: https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce
