When we send authorization code, we use ("#") instead of URL as parameter ("?"). For example: https://localhost:8080/mobilepay-authorized#code=af9fb6334....
with regards to the specification, it should be a parameter: https://tools.ietf.org/html/rfc6749#section-4.1.2
The reason why we use "#" is because, we use identityserver, and it is their default set-up. Moreover, we do not implement the whole OpenId specification.You can easily configure it with a response_mode like this:
form_post sends the token response as a form post instead of a fragment encoded redirect (optional)
Furthermore, it should also be more secure to have data as a fragment instead of query, because there is nobody that saves it and reads it