First, the client makes a request to the authorization server to request the device code.
POST /token HTTP/1.1 Host: authorization-server.com Content-type: application/x-www-form-urlencoded client_id=a17c21ed
Note that some authorization servers will allow the device to specify a scope in this request, which will be shown to the user later on the authorization interface.
The authorization server responds with a JSON payload containing the device code, the code the user will enter, the URL the user should visit, and a polling interval.
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store { "device_code": "NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA", "user_code": "BDWP-HQPK", "verification_uri": "https://authorization-server.com/device", "interval": 5, "expires_in": 1800 }
The device shows the verification_uri
and user_code
to the user
on its display, directing the user to enter the code at that URL.