Inferensys

Glossary

Device Authorization Flow

Device Authorization Flow is an OAuth 2.0 grant type designed for devices with limited input capabilities, where the device displays a user code for authorization on a secondary device.
Modern WeWork hardware lab area with product team collaborating around AI device prototypes, 3D printer in background, dramatic industrial lighting with product sketches on glass walls.
API AUTHENTICATION FLOWS

What is Device Authorization Flow?

An OAuth 2.0 grant type for devices with limited input capabilities.

The Device Authorization Flow is an OAuth 2.0 grant type designed for internet-connected devices that lack a keyboard or easy input method, such as smart TVs, gaming consoles, or IoT hardware. Instead of entering credentials directly, the device requests a short-lived user code and a verification URI from the authorization server. The user must then visit that URI on a secondary device, like a smartphone or computer, to authenticate and authorize the request, after which the original device polls the server to receive the final access token.

This flow is formally defined in RFC 8628 and is essential for enabling secure, user-consented access for input-constrained clients. It maintains OAuth's core security principle of not sharing user passwords with the device while providing a usable alternative to the Authorization Code Flow. The protocol includes safeguards like short-lived user codes and device-specific polling to mitigate security risks inherent in this cross-device authentication pattern.

OAUTH 2.0 GRANT TYPE

Key Characteristics of the Device Flow

The Device Authorization Flow is an OAuth 2.0 extension designed for devices with limited input capabilities, such as smart TVs, IoT appliances, or gaming consoles. It enables secure user authorization by leveraging a secondary, more capable device like a smartphone or computer.

01

Designed for Input-Constrained Devices

This flow is explicitly engineered for headless or input-constrained hardware where entering a username and password is impractical or impossible. Target devices include:

  • Smart TVs and media streamers
  • Internet of Things (IoT) appliances
  • Gaming consoles
  • Command-line tools
  • Printers and embedded systems

The protocol shifts the complex authentication interaction to a secondary device with a full browser, solving the primary device's user interface limitations.

02

User Code and Verification URI

The core mechanism involves a two-part handoff. The authorization server provides two pieces of information to the device:

  • User Code: A short, human-readable code (e.g., BDWD-HQPK).
  • Verification URI: A website address (e.g., https://example.com/device).

The device displays this information to the user. The user must then navigate to the Verification URI on a secondary device (like their phone), enter the User Code, and complete the standard OAuth 2.0 consent screen. This decouples the authentication ceremony from the constrained device.

03

Polling-Based Token Acquisition

After initiating the flow, the device client does not receive tokens directly. Instead, it must repeatedly poll the authorization server's token endpoint. The client sends its device_code and client_id in these polling requests.

The server responds with a pending status until the user completes the authorization on the secondary device. Upon successful user consent, the next poll returns the access token and optionally a refresh token. This polling model is necessary because the constrained device cannot receive an HTTP redirect.

04

Extended Device Code Lifetimes

Device and user codes have significantly longer expiration times compared to standard authorization codes. Typical specifications advise:

  • User Code Expiration: 15-30 minutes, giving the user ample time to switch devices.
  • Device Code Expiration: Can be longer, often matching the maximum user session time.

The polling interval is also dictated by the server, often via a interval parameter in the initial response (e.g., 5 seconds). Clients must honor this interval to avoid being rate-limited.

05

Security Considerations and Best Practices

While convenient, the flow introduces specific security vectors that must be mitigated:

  • User Code Entropy: Codes must be sufficiently random and long enough to resist brute-force guessing.
  • Short Verification URIs: The displayed URL should be short and easy to type. Using a static, well-known domain with a short path is common.
  • Limited Activation Scope: The issued access token should be scoped specifically to the device and its intended use, following the principle of least privilege.
  • User Verification: The consent screen on the secondary device should clearly display the requesting device's name and the permissions being granted.
DEVICE AUTHORIZATION FLOW

Frequently Asked Questions

The Device Authorization Flow is a specialized OAuth 2.0 grant designed for devices with limited input capabilities. This FAQ addresses its core mechanics, security considerations, and implementation details for developers integrating AI agents and IoT systems.

The Device Authorization Flow (OAuth 2.0 Device Grant) is an OAuth 2.0 grant type designed for input-constrained devices, such as smart TVs, IoT appliances, or command-line tools, where direct user login is impractical. It works through a two-device handshake: the constrained device requests authorization and displays a short user code and verification URI; the user then visits that URI on a secondary device (like a smartphone) to authenticate and grant consent, after which the original device polls the authorization server to receive the access token.

Key Steps:

  1. Device Requests Authorization: The device calls the authorization server's /device_authorization endpoint, receiving a device_code, user_code, verification_uri, and verification_uri_complete.
  2. User Interaction on Secondary Device: The device displays the user_code and verification_uri. The user navigates to the URI on a browser-capable device, enters the code, authenticates, and consents.
  3. Device Polls for Token: The device repeatedly polls the authorization server's /token endpoint using its device_code and client_id until the user completes the action, at which point it receives the access token and optionally a refresh token.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.