section 4.1.2
It’s be be transmitted as
“application/x-www-form-urlencoded”
Which means it’s a query parameter, (regardless of it being HTTP GET or POST)
Snippet from the Specification
4.1.2. Authorization Response
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format, per Appendix B: