# Device authorization

Initiate the device flow (See OAuth 2.0 Device Authorization Grant (RFC 8628)). This call returns a user code and verification URI for the user to approve or deny access on a separate device. Additionally, a device code is provided to obtain the token.

Endpoint: POST /oidc/device/auth

## Request fields (application/x-www-form-urlencoded):

  - `client_id` (string, required)
    Client ID for which authentication is requested.

  - `client_secret` (string, required)
    Client secret.

  - `scope` (string, required)
    Scope of the requested access. Used to request specific user details like email. Must include openid and can include additional values (space delimited). offline_access scope allows refreshing access tokens.
    Enum: "openid", "email", "phone", "offline_access"

  - `acr_values` (string, required)
    Requested ACR values, specified as a space-separated string. The acr claim of the resulting ID token will indicate which requirements were satisfied.
    Enum: "urn:transmit:google_direct", "urn:transmit:apple_direct", "urn:transmit:facebook_direct", "urn:transmit:line_direct", "urn:transmit:centralized"

  - `loginType` (string)
    Authentication method to be used for this process, where centralized is used to request authentication via the Authentication Hub.
    Enum: "google-direct", "apple-direct", "facebook-direct", "webauthn-direct", "line-direct", "centralized"

## Response 200 fields (application/json):

  - `device_code` (string, required)
    The device code to be used to obtain a token.

  - `user_code` (string, required)
    The user code to be displayed to the user.

  - `verification_uri` (string)
    The URI that verifies the user submitted a valid user code on the input page.

  - `verification_uri_complete` (string)
    (Recommended) The URI with embedded user code that verifies if the user code is valid while skipping the input page.

  - `expires_in` (integer, required)
    The number of seconds before the device_code expires.

## Response 400 fields (application/json):

  - `message` (array, required)
    Example: "Bad request"

  - `error_code` (number, required)
    Example: 400

## Response 500 fields (application/json):

  - `message` (string, required)
    Example: "Something went wrong - Internal server error"

  - `error_code` (number, required)
    Example: 500