Authorization Request

16.2

First, the client makes a request to the authorization server to request the device code.

POST /token HTTP/1.1
Host: authorization-server.com
Content-type: application/x-www-form-urlencoded

client_id=a17c21ed

Note that some authorization servers will allow the device to specify a scope in this request, which will be shown to the user later on the authorization interface.

The authorization server responds with a JSON payload containing the device code, the code the user will enter, the URL the user should visit, and a polling interval.

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
    "device_code": "NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA",
    "user_code": "BDWP-HQPK",
    "verification_uri": "https://authorization-server.com/device",
    "interval": 5,
    "expires_in": 1800
}

The device shows the verification_uri and user_code to the user
on its display, directing the user to enter the code at that URL.