For single page apps, you don't want to send the access tokens to the backend server. Putting the access token in the query string will do that. So for single page apps, you'll want to use the hash fragment instead (https://mysite.com#access_token=xyz).

For web applications you might want to use a form post instead of the query string. The end result is the same (both post and querystring will be available in the req), but the main difference is that with a form post the access token is not exposed in the browser history etc...