Storyden
Auth

O Auth Device Authorisation

Start the OAuth 2.0 Device Authorization Grant for clients that cannot receive a browser redirect directly, such as CLIs, terminals, and desktop tools. The `scope` parameter follows OAuth 2.0 and is optional. Storyden applies additional client policy after parsing the request: - Built-in first-party device clients, such as the default Storyden CLI client, must request exactly `openid profile offline_access`. On approval Storyden expands the issued scope to the approving account's current permissions. - Third-party explicit-scope clients may omit `scope`; omitted scope means no requested scopes. `verification_uri` and `verification_uri_complete` point at the configured frontend consent page, not at an API-rendered HTML page. Custom frontends can change this URL with `OAUTH_DEVICE_AUTHORISATION_CONSENT_URL`.

Start the OAuth 2.0 Device Authorization Grant for clients that cannot receive a browser redirect directly, such as CLIs, terminals, and desktop tools.

The scope parameter follows OAuth 2.0 and is optional. Storyden applies additional client policy after parsing the request:

  • Built-in first-party device clients, such as the default Storyden CLI client, must request exactly openid profile offline_access. On approval Storyden expands the issued scope to the approving account's current permissions.
  • Third-party explicit-scope clients may omit scope; omitted scope means no requested scopes.

verification_uri and verification_uri_complete point at the configured frontend consent page, not at an API-rendered HTML page. Custom frontends can change this URL with OAUTH_DEVICE_AUTHORISATION_CONSENT_URL.

POST/oauth/device_authorization

Request Body

application/x-www-form-urlencoded

client_id*string
scope?string

Response Body

application/json

application/json

application/json

curl -X POST "https://loading/api/oauth/device_authorization" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'client_id=string'
{
  "device_code": "string",
  "user_code": "string",
  "verification_uri": "http://example.com",
  "verification_uri_complete": "http://example.com",
  "expires_in": 0,
  "interval": 0,
  "error": "string"
}
{
  "error": "string",
  "error_description": "string"
}
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Client Update PATCH

Update an OAuth client created by the authenticated account. Allowed scopes must remain within the authenticated account's current permissions. If the account has `ADMINISTRATOR`, it may configure any Storyden permission scope because `ADMINISTRATOR` implicitly grants all permissions. Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.

O Auth Device Consent GET

Read a pending OAuth device authorisation request for a signed-in user before they approve or deny consent in the frontend. This is a Storyden frontend/API integration endpoint, not an OAuth protocol endpoint. The API never renders the consent UI directly. A frontend reads this JSON, displays the client and scopes, then submits the user's decision. Reading consent claims the user code for the signed-in account. This prevents another account from approving the same code after it has been displayed.