API OAuth Device Authorization Flow

Status: public · Confidence: medium (0.865) · Basis: verified_sources

## TL;DR

The OAuth device authorization flow lets CLIs, TVs, appliances, and other constrained clients obtain authorization through a separate browser-capable device.

## Core Explanation

In a device flow, the client asks the authorization server for a device code and user code, shows the user a verification URI, and polls the token endpoint until the user completes authorization or the code expires.

Agents should inspect client ID, requested scopes, verification URI, user-code expiry, polling interval, device-code status, and tenant restrictions before diagnosing auth failures in command-line or headless tools.

## Source-Mapped Facts

- RFC 8628 defines a device authorization endpoint that is separate from the OAuth authorization endpoint used by a browser user agent. ([source](https://datatracker.ietf.org/doc/html/rfc8628))
- Microsoft identity platform documentation describes the OAuth 2.0 device authorization grant for devices that are input constrained or lack a browser. ([source](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code))
- GitHub documentation describes a device flow for authorizing OAuth apps on devices or command-line tools. ([source](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow))

## Further Reading

- [RFC 8628 OAuth 2.0 Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628)
- [Google OAuth for Limited-Input Devices](https://developers.google.com/identity/protocols/oauth2/limited-input-device)
- [GitHub OAuth Device Flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)