That code is immeditely exchanged for an access token (by you)
That code can only be used with your Client Secret.
That code can only be used once.
The general advice is to grab that code, do stuff, and then auto redirect.
Then it avoids users F5-ing and getting an error as the code is used/now invalid