OAuth 2.0 Life cycle of "code" in Authorization code Grant

code is short-lived one-time access token. once a it is exchanged for a access token, it should get marked as invalid.
for Kong issue its better to ask it here

Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions

What is the life cycle of code?

• when the user authenticate using authorication_code flow, the once authenticated and granted access for scopes, an short lived (say 1 minute) valid code will be created and sent back to the redirect uri.

Is it for only one-time use?

• yes it must be one-time use for best security, when access token is requested using authorication_code, then either the request succeeds or failed (due to some validation error or server error), the authorization code must be deleted or marked as used(depending how you wanted to use it)

How many times can a code be exchanged to get access token?

• One authorization_code can grant only one access token, since the code will be revoked once an access token is issued.

What happen to a code after access token is given for that code?

Best practice, the code can be deleted

Check out google oauth2.0 documentations for better understanding and see how its used.

https://developers.google.com/identity/protocols/OAuth2WebServer

For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release. Check this discussion.