response_mode

In the /authorize request you need to follow our docs here

Each value for response_mode delivers different behavior:

  • form_post sends the token response as a form post instead of a fragment encoded redirect . In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST
  • fragment - Parameters are encoded in the URL fragment added to the redirect_uri when redirecting back to the client. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.

Note:

Several merchants and integrator have reported their OpenID processes not to redirect to the correct URL, and for these it has been identified that form_post mitigates this issue.

If you are able to exchange codes and tokens using fragment that is also ok. MobilePay supports both.