| `DeviceAuthorizationPlugin` | Device authorization flow for TVs, consoles, CLIs, and other limited-input devices | [Device Authorization Plugin](/docs/plugins/device-authorization) |

title: Device Authorization

description: Device authorization flow for TVs, consoles, CLIs, and other limited-input clients.

The `DeviceAuthorizationPlugin` implements a device authorization flow for clients that cannot easily complete an interactive sign-in flow, such as TVs, game consoles, smart displays, and terminal apps.

When enabled, the plugin issues a short `user_code` plus a longer `device_code`, lets a signed-in user approve or deny the request on another device, and returns a Better Auth session token from the polling endpoint once approved.

use better_auth::plugins::DeviceAuthorizationPlugin;

let auth = BetterAuth::new(config)

.database(database)

.plugin(

DeviceAuthorizationPlugin::new()

.enabled(true)

.verification_uri("/device")

.interval(5)

.expires_in(1800)

)

.build()

.await?;

| Option | Type | Default | Description |

|--------|------|---------|-------------|

| `enabled` | `bool` | `false` | Enables the device authorization endpoints |

| `verification_uri` | `String` | `"/device"` | URL or path the user should open to enter the `user_code` |

| `interval` | `i64` | `5` | Minimum polling interval in seconds for `/device/token` |

| `expires_in` | `i64` | `1800` | Lifetime in seconds for the device authorization request |

<Callout type="info">

`verification_uri` is returned to the device client exactly as configured. In practice, this should usually point to a user-facing page in your app where the user can sign in and submit the `userCode`.

</Callout>

1. The device client calls `POST /device/code` with a `client_id` and optional `scope`.

2. The API returns `device_code`, `user_code`, `verification_uri`, `expires_in`, and `interval`.

3. The user opens `verification_uri` on another device, signs in if needed, and enters the `user_code`.

4. Your verification UI calls `POST /device/approve` or `POST /device/deny` with the `userCode`.

5. The original device polls `POST /device/token` with the `device_code` until the request is approved or denied.

6. On approval, `/device/token` returns an `access_token` containing a Better Auth session token.

The optional `scope` value is stored with the device authorization record so applications can track the requested scope, but the plugin currently creates a standard Better Auth session when the request is approved.

The Device Authorization plugin exposes 4 endpoints. The request and response shapes documented below are the current reference for this plugin.

| Endpoint | Method | Auth | Description |

|----------|--------|------|-------------|

| `/device/code` | POST | No | Issue a new `device_code` and `user_code` |

| `/device/token` | POST | No | Poll for approval and exchange the `device_code` for a session token |

| `/device/approve` | POST | Yes | Approve a pending device authorization request |

| `/device/deny` | POST | Yes | Deny a pending device authorization request |

Create a device code:

{

"client_id": "living-room-tv",

"scope": "openid profile"

}

Example response:

{

"device_code": "a-long-random-device-code",

"user_code": "AB12CD34",

"verification_uri": "/device",

"expires_in": 1800,

"interval": 5

}

Approve from a signed-in browser session:

{

"userCode": "AB12CD34"

}

Successful token exchange:

{

"access_token": "session_..."

}

The plugin provides the backend endpoints, but you still need a small verification UI in your app:

1. Render a page at the same URL you use for `verification_uri`.

2. Let the user sign in if they do not already have a session.

3. Collect the `userCode` shown on the device.

4. Call `POST /device/approve` or `POST /device/deny` with `{ "userCode": "..." }`.

Because approval and denial require a valid Better Auth session, the verification page should run in a browser or app context where the user can authenticate normally.

The `/device/token` endpoint uses the current device authorization state to guide the client:

| Status | Condition |

|--------|-----------|

| `200` | Request approved, returns `{ "access_token": "session_..." }` |

| `400 authorization_pending` | The user has not approved or denied the request yet |

| `400 slow_down` | The client polled faster than the configured `interval` |

| `400 access_denied` | The user explicitly denied the request |

| `400 invalid_grant` | The `device_code` is unknown, expired, or has already been consumed |

Once a device code is successfully exchanged, it is consumed and cannot be reused.

| Status | Condition |

|--------|-----------|

| `401` | `/device/approve` or `/device/deny` was called without a valid session |

| `404` | The supplied `userCode` was not found |

| `404` | The plugin is disabled and the device endpoints are not available |

"passkey",

"device-authorization"

| Method | Path | Auth | Description |

|--------|------|------|-------------|

| POST | `/device/code` | No | Issue a `device_code` and `user_code` for a limited-input client |

| POST | `/device/token` | No | Poll device authorization state and exchange an approved code for a session token |

| POST | `/device/approve` | Yes | Approve a pending device authorization request |

| POST | `/device/deny` | Yes | Deny a pending device authorization request |