Next: , Previous: , Up: Authorize an OAuth App   [Index] Device Flow

The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.

Overview of the device flow:

  1. Your app requests device and user verification codes and gets the authorization URL where the user will enter the user verification code.
  2. The app prompts the user to enter a user verification code at:
  3. The app polls for the user authentication status. Once the user has authorized the device, the app will be able to make API calls with a new access token.
  1. Step 1—App Requests the Device and User Verification Codes from GitHub

    Your app must request a user verification code and verification URL that the app will use to prompt the user to authenticate in the next step. This request also returns a device verification code that the app must use to receive an access token and check the status of user authentication.

    1. Input Parameters

      (string) Requirerd The client ID you received from GitHub for your app.


      (string) The scope that your app is requesting access to.

    2. Response Parameters
        "device_code": "3584d83530557fdd1f46af8289938c8ef79f9dc5",
        "user_code": "WDJB-MJHT",
        "verification_uri": "",
        "expires_in": 900,
        "interval": 5

      (string) The device verification code is 40 characters and used to verify the device.


      (string) The user verification code is displayed on the device so the user can enter the code in a browser. This code is 8 characters with a hyphen in the middle.


      The verification URL where users need to enter the user_code:

      (integer) The number of seconds before the device_code and user_code expire. The default is 900 seconds or 15 minutes.


      (integer) The minimum number of seconds that must pass before you can make a new access token request (POST to complete the device authorization.

  2. Step 2—Prompt the user to enter the user code in a browser

    Your device will show the user verification code and prompt the user to enter the code at
  3. Step 3—App polls GitHub to check if the user authorized the device

    Your app will make device authorization requests that poll


    until the device and user codes expire or the user has successfully authorized the app with a valid user code. The app must use the minimum polling interval retrieved in step 1 to avoid rate limit errors.

    The user must enter a valid code within 15 minutes (or 900 seconds). After 15 minutes, you will need to request a new device authorization code with


    Once the user has authorized, the app will receive an access token that can be used to make requests to the API on behalf of a user.

    1. Input Parameters

      (string) Required The client ID you received from GitHub for your OAuth App.


      (string) Required The device verification code you received from the request to:


      (string) Required The grant type must be:

    2. Response
       "access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
        "token_type": "bearer",
        "scope": "user"
  4. Error Codes for the Device Flow

Next: , Previous: , Up: Authorize an OAuth App   [Index]