It sounds like you are mixing up the Implicit Grant flow, with the Auth Code flow.
With the Implicit flow, the user will be redirected to your redirect uri with an access token in the URL fragment, ie #access_token=..... That’s the token, there’s no further steps than that. That auth flow is designed for client-side auth as it lasts for about 60 days, but is not possible to refresh and as it’s a URL fragment the client doesn’t automatically pass it to the server, so it is more useful for client-side requests.
The Auth Code flow on the other hand is for server-side requests, when the user is redirected there would be a URL param containing the code, ie ?code=.... That code, being part of the url parameters, is accessible by your server when the user made the request and so the server can then exchange that code for an access token and refresh token. The access token will last about 4 hours but the refresh token will allow you to use the Refresh Token endpoint and so you can programmatically get new tokens without needing the user to go through the process again.