Deepak Gupta

Device Authorization Grant

Device Code Flow.

An OAuth 2.0 flow (RFC 8628) for input-constrained devices, the device displays a code, the user authenticates on a separate device, and the original device polls until authorized.

Device Code Flow is the right choice when the user has a separate device with a browser. CIBA is the right choice when the user does not, the IdP delivers the auth challenge directly to the user's known device. For CLI authentication, Device Code is the dominant pattern; for IVR / call-center, CIBA is.

Common questions

When should I use Device Code Flow?

How is Device Code different from CIBA?

Is Device Code Flow secure?

Related terms

In the guides

OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.