OAuth2.0 Implicit Grant flow. Why use url hash fragments?

Question

Going through the new OAuth2.0 Specs ( rfc 6749 ), I see that Implicit Grant protocol workflow uses Url Hash Fragments to exchange the \'access_token\' between the Authorisation

Answer 1

the Implicit Grant flow is done for java script clients and I think they are using '#' instead of '?' to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason "not sharing your access token over network may be unsecured like one used for redirect URL"