the Implicit Grant flow is done for java script clients and I think they are using ‘#’ instead of ‘?’ to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason “not sharing your access token over network may be unsecured like one used for redirect URL”