Storyden
Auth

O Auth Device Consent

Read a pending OAuth device authorisation request for a signed-in user before they approve or deny consent in the frontend. This is a Storyden frontend/API integration endpoint, not an OAuth protocol endpoint. The API never renders the consent UI directly. A frontend reads this JSON, displays the client and scopes, then submits the user's decision. Reading consent claims the user code for the signed-in account. This prevents another account from approving the same code after it has been displayed.

Read a pending OAuth device authorisation request for a signed-in user before they approve or deny consent in the frontend.

This is a Storyden frontend/API integration endpoint, not an OAuth protocol endpoint. The API never renders the consent UI directly. A frontend reads this JSON, displays the client and scopes, then submits the user's decision.

Reading consent claims the user code for the signed-in account. This prevents another account from approving the same code after it has been displayed.

GET/oauth/device/consent

Authorization

browser
storyden-session<token>

In: cookie

Query Parameters

user_code?string

OAuth device authorisation user code.

Response Body

application/json

application/json

application/json

curl -X GET "https://loading/api/oauth/device/consent"
{
  "user_code": "string",
  "client_id": "string",
  "client_name": "string",
  "expires_at": "2019-08-24T14:15:22Z",
  "requested_scopes": [
    "string"
  ],
  "granted_scopes": [
    "string"
  ],
  "inherits_user_permissions": true
}
{
  "error": "string",
  "error_description": "string"
}
Empty
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Device Authorisation POST

Start the OAuth 2.0 Device Authorization Grant for clients that cannot receive a browser redirect directly, such as CLIs, terminals, and desktop tools. The `scope` parameter follows OAuth 2.0 and is optional. Storyden applies additional client policy after parsing the request: - Built-in first-party device clients, such as the default Storyden CLI client, must request exactly `openid profile offline_access`. On approval Storyden expands the issued scope to the approving account's current permissions. - Third-party explicit-scope clients may omit `scope`; omitted scope means no requested scopes. `verification_uri` and `verification_uri_complete` point at the configured frontend consent page, not at an API-rendered HTML page. Custom frontends can change this URL with `OAUTH_DEVICE_AUTHORISATION_CONSENT_URL`.

O Auth Device Consent Submit POST

Approve or deny a pending OAuth device authorisation request for the currently signed-in account. On approval Storyden recomputes the granted scope from the current account permissions and client policy. For first-party inherited clients this means the final token scope may include Storyden permission scopes that were not present in the original device authorisation request.