← All Tools

OAuth 2.0 Device Authorization Flow Builder

The Device Authorization grant (RFC 8628) is how smart TVs, CLIs, and IoT devices log a user in without a browser of their own. The device asks the authorization server for a user_code, displays it (often as a QR code), and polls a token endpoint until the user finishes approving on their phone. Configure the request below to inspect every step and copy ready-to-run snippets.

Provider preset:

Device Authorization endpoint

Token endpoint

client_id

scope

client_secret (only for confidential clients)

Most device-flow clients are public — never ship a real secret in firmware or a desktop CLI. Native confidential clients use it; SPAs/CLIs do not.

Simulated response (for previewing step 3)

user_code

verification_uri

expires_in (sec)

interval (sec)

1POST device_authorization request

The device sends a application/x-www-form-urlencoded request with its client_id and the scopes it wants.

Wire

curl

JavaScript fetch()

2Server response

A JSON object with the user-facing user_code and the back-channel device_code you'll exchange in step 4. Some providers also include verification_uri_complete, a URL that pre-fills the code — perfect for a QR code.

Example response body

device_code	Long-lived, opaque secret. Sent only between device and server. Never shown to user.
user_code	Short, easy-to-type code (typically 8 chars + hyphen). Shown on the device's screen.
verification_uri	URL the user types into a separate browser. They will then enter the `user_code` manually.
verification_uri_complete	Same URL with `?user_code=…` pre-filled. Skip the typing step — encode this in the QR code.
expires_in	How long the `device_code` remains valid (seconds). Stop polling after this.
interval	Minimum seconds between token-endpoint polls. Increase this if you get `slow_down`.

3Display the user code

Show the user_code prominently. Add a QR code of verification_uri_complete so users with a phone don't have to type at all.

User code

WDJB-MJHT

Visit https://www.google.com/device
and enter the code above.

Pre-filled URL: —

QR code (verification_uri_complete)

Scan with a phone to skip the typing step entirely.

4Poll the token endpoint

Repeat this POST every interval seconds until the user finishes approving (or the device code expires). The grant type is the URN form, not device_code.

Wire (per poll)

curl

Polling loop (JS)

Expected error responses while polling

`authorization_pending`	User hasn't acted yet. Keep polling at the same interval.
`slow_down`	Polling too fast. Add 5 seconds to the interval and continue (RFC 8628 §3.5).
`access_denied`	User clicked Deny. Stop polling. Show "approval declined" on the device.
`expired_token`	`device_code` expired before the user finished. Restart at step 1.
200 with tokens	Success — store `access_token` and (if requested) `refresh_token` and `id_token`.

5Polling timeline (simulated)

A sketch of what the polling loop looks like given the configured interval and expires_in. Drag the "user approves at" slider to see when the loop succeeds.

User approves at (28s after device code issued)

Inject slow_down at poll #

0 = no slow_down. Set to N to simulate the server returning slow_down on poll N (the loop will then add 5s).

Implementation notes

Discover endpoints from /.well-known/openid-configuration. Look for device_authorization_endpoint and token_endpoint. Some providers (e.g. older Auth0 tenants) hide the device endpoint behind feature flags.
Always include client_id on the token POST — RFC 8628 §3.4 keeps the client identifier on every poll. Public clients omit client_secret.
Add jitter and capped backoff. Even though slow_down tells you when to add 5s, jittering helps avoid synchronized polling storms on shared NATs.
Display the URL and the QR code. Not everyone has a phone camera handy; not everyone wants to type. Surface both.
Handle expired_token gracefully. Reset state, request a new device code, and let the user start over without restarting the whole app.
Refresh tokens are not guaranteed. Some providers require access_type=offline or the offline_access scope to issue one. Plan for re-doing the device flow when the access token expires if no refresh token is returned.