The Device Authorization Flow is an OAuth 2.0 grant type designed for internet-connected devices that lack a keyboard or easy input method, such as smart TVs, gaming consoles, or IoT hardware. Instead of entering credentials directly, the device requests a short-lived user code and a verification URI from the authorization server. The user must then visit that URI on a secondary device, like a smartphone or computer, to authenticate and authorize the request, after which the original device polls the server to receive the final access token.
Glossary
Device Authorization Flow

What is Device Authorization Flow?
An OAuth 2.0 grant type for devices with limited input capabilities.
This flow is formally defined in RFC 8628 and is essential for enabling secure, user-consented access for input-constrained clients. It maintains OAuth's core security principle of not sharing user passwords with the device while providing a usable alternative to the Authorization Code Flow. The protocol includes safeguards like short-lived user codes and device-specific polling to mitigate security risks inherent in this cross-device authentication pattern.
Key Characteristics of the Device Flow
The Device Authorization Flow is an OAuth 2.0 extension designed for devices with limited input capabilities, such as smart TVs, IoT appliances, or gaming consoles. It enables secure user authorization by leveraging a secondary, more capable device like a smartphone or computer.
Designed for Input-Constrained Devices
This flow is explicitly engineered for headless or input-constrained hardware where entering a username and password is impractical or impossible. Target devices include:
- Smart TVs and media streamers
- Internet of Things (IoT) appliances
- Gaming consoles
- Command-line tools
- Printers and embedded systems
The protocol shifts the complex authentication interaction to a secondary device with a full browser, solving the primary device's user interface limitations.
User Code and Verification URI
The core mechanism involves a two-part handoff. The authorization server provides two pieces of information to the device:
- User Code: A short, human-readable code (e.g.,
BDWD-HQPK). - Verification URI: A website address (e.g.,
https://example.com/device).
The device displays this information to the user. The user must then navigate to the Verification URI on a secondary device (like their phone), enter the User Code, and complete the standard OAuth 2.0 consent screen. This decouples the authentication ceremony from the constrained device.
Polling-Based Token Acquisition
After initiating the flow, the device client does not receive tokens directly. Instead, it must repeatedly poll the authorization server's token endpoint. The client sends its device_code and client_id in these polling requests.
The server responds with a pending status until the user completes the authorization on the secondary device. Upon successful user consent, the next poll returns the access token and optionally a refresh token. This polling model is necessary because the constrained device cannot receive an HTTP redirect.
Extended Device Code Lifetimes
Device and user codes have significantly longer expiration times compared to standard authorization codes. Typical specifications advise:
- User Code Expiration: 15-30 minutes, giving the user ample time to switch devices.
- Device Code Expiration: Can be longer, often matching the maximum user session time.
The polling interval is also dictated by the server, often via a interval parameter in the initial response (e.g., 5 seconds). Clients must honor this interval to avoid being rate-limited.
Security Considerations and Best Practices
While convenient, the flow introduces specific security vectors that must be mitigated:
- User Code Entropy: Codes must be sufficiently random and long enough to resist brute-force guessing.
- Short Verification URIs: The displayed URL should be short and easy to type. Using a static, well-known domain with a short path is common.
- Limited Activation Scope: The issued access token should be scoped specifically to the device and its intended use, following the principle of least privilege.
- User Verification: The consent screen on the secondary device should clearly display the requesting device's name and the permissions being granted.
Frequently Asked Questions
The Device Authorization Flow is a specialized OAuth 2.0 grant designed for devices with limited input capabilities. This FAQ addresses its core mechanics, security considerations, and implementation details for developers integrating AI agents and IoT systems.
The Device Authorization Flow (OAuth 2.0 Device Grant) is an OAuth 2.0 grant type designed for input-constrained devices, such as smart TVs, IoT appliances, or command-line tools, where direct user login is impractical. It works through a two-device handshake: the constrained device requests authorization and displays a short user code and verification URI; the user then visits that URI on a secondary device (like a smartphone) to authenticate and grant consent, after which the original device polls the authorization server to receive the access token.
Key Steps:
- Device Requests Authorization: The device calls the authorization server's
/device_authorizationendpoint, receiving adevice_code,user_code,verification_uri, andverification_uri_complete. - User Interaction on Secondary Device: The device displays the
user_codeandverification_uri. The user navigates to the URI on a browser-capable device, enters the code, authenticates, and consents. - Device Polls for Token: The device repeatedly polls the authorization server's
/tokenendpoint using itsdevice_codeandclient_iduntil the user completes the action, at which point it receives the access token and optionally a refresh token.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The Device Authorization Flow exists within a broader ecosystem of authentication and authorization protocols. These related mechanisms define how clients, users, and services establish trust and permission in different technical contexts.
Authorization Code Flow
The standard OAuth 2.0 grant for server-side web applications. The client redirects the user to an authorization server, which returns an authorization code to a pre-registered redirect URI. The client then exchanges this code for an access token securely on the backend.
- Primary Use Case: Traditional web applications with a server-side component.
- Key Security Feature: The access token is never exposed to the user's browser.
- Contrast with Device Flow: Designed for user-facing applications where the user can directly interact with a browser on the same device.
Proof Key for Code Exchange (PKCE)
An extension to the Authorization Code flow designed to secure public clients—like mobile and single-page apps—that cannot store a client secret. The client creates a code verifier and a derived code challenge. The authorization server binds the issued authorization code to this challenge, preventing interception attacks.
- Mitigates Threat: Authorization code interception.
- Essential For: Native mobile apps and JavaScript-based SPAs.
- Relation to Device Flow: Both are designed for clients where secret storage is insecure, but PKCE assumes the user can interact with a browser on the same device.
Client Credentials Flow
An OAuth 2.0 grant for machine-to-machine (M2M) communication where the client acts on its own behalf, not a user's. The client authenticates with its client ID and secret (or certificate) to directly obtain an access token for its own resources.
- Primary Use Case: Service account access, backend API communication.
- No User Involvement: The entire flow occurs between the client and authorization server.
- Contrast with Device Flow: Represents the opposite end of the spectrum—no user interaction versus requiring user interaction on a secondary device.
Resource Owner Password Credentials Flow
A legacy OAuth 2.0 grant where the client application collects the user's username and password and exchanges them directly for an access token. This flow is highly discouraged due to security risks, as it requires the user to trust the client with their credentials.
- High Risk: Client sees plaintext passwords, increasing attack surface.
- Limited Use: Only for highly-trusted first-party clients (e.g., a company's own mobile app).
- Contrast with Device Flow: Device Flow is explicitly designed for scenarios where entering a password on the device is infeasible or insecure, avoiding credential exposure to the constrained device.
Refresh Token
A long-lived credential issued alongside an access token that allows a client to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens are a core component of OAuth 2.0 that enable persistent access within a session.
- Lifetime Management: Enables short-lived access tokens for security while maintaining user session.
- Security Consideration: Must be stored securely by the client; their issuance is often restricted to confidential clients.
- In Device Flow: The device client can use a refresh token (if granted) to poll for new access tokens, maintaining access after the initial user authorization.
User Code & Verification URI
The core interactive components of the Device Authorization Flow. After initiation, the authorization server returns a short, human-readable user code (e.g., ABCD-EFGH) and a verification URI (often a short URL).
- User Experience: The device displays this code and URI. The user navigates to the URI on a secondary device (like a smartphone), enters the code, and authenticates.
- Polling Mechanism: While the user completes this step, the constrained device polls the authorization server's token endpoint until authorization is granted or denied.
- Design Purpose: Bridges the gap between an input-constrained device and a full authentication interface.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us