Storyden
Auth

O Auth Device Consent Submit

Approve or deny a pending OAuth device authorisation request for the currently signed-in account. On approval Storyden recomputes the granted scope from the current account permissions and client policy. For first-party inherited clients this means the final token scope may include Storyden permission scopes that were not present in the original device authorisation request.

Approve or deny a pending OAuth device authorisation request for the currently signed-in account.

On approval Storyden recomputes the granted scope from the current account permissions and client policy. For first-party inherited clients this means the final token scope may include Storyden permission scopes that were not present in the original device authorisation request.

POST/oauth/device/consent

Authorization

browser
storyden-session<token>

In: cookie

Request Body

application/json

user_code*string
decision*string
Value in"approve" | "deny"

Response Body

application/json

application/json

application/json

curl -X POST "https://loading/api/oauth/device/consent" \  -H "Content-Type: application/json" \  -d '{    "user_code": "string",    "decision": "approve"  }'
{
  "status": "approved"
}
{
  "error": "string",
  "error_description": "string"
}
Empty
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Device Consent GET

Read a pending OAuth device authorisation request for a signed-in user before they approve or deny consent in the frontend. This is a Storyden frontend/API integration endpoint, not an OAuth protocol endpoint. The API never renders the consent UI directly. A frontend reads this JSON, displays the client and scopes, then submits the user's decision. Reading consent claims the user code for the signed-in account. This prevents another account from approving the same code after it has been displayed.

O Auth J W K S GET

List public JSON Web Keys that clients can use to validate Storyden OAuth access tokens and OpenID Connect ID tokens. This is advertised by `/.well-known/openid-configuration` as `jwks_uri`. Storyden serves this under the API mount because the key set is an API resource; the well-known discovery document itself is mounted at the instance root and is intentionally not part of this OpenAPI document.