Call Your API from an Input-Constrained Device

Call Your API from an Input-Constrained Device

Everything you need to know to call your API from your input-constrained device. For use with native apps.

Using Auth0 in your applications means that you will be "outsourcing" the authentication process to a centralized login page in the same way that Gmail, YouTube, and any other Google property redirects to whenever a user signs in.

With input-constrained devices, however, rather than immediately authenticating the user, the device asks the user to go to a link on their computer or smartphone to authenticate. This avoids a poor user experience for devices that do not have an easy way to enter text. If you’ve ever signed in to your Netflix account on a device like a Roku, you’ve already encountered this workflow.

Your user will authenticate on their computer or smartphone, and Auth0 will generate an Access Token that will be passed back to your device application. The Access Token can then be used to call your API.

This flow can be used with native applications only.

How it works

When your app needs to fetch user data from your API:

  1. If the device is not already authorized, your device app calls your Auth0 Authorization Server to retrieve a device code.
  2. Auth0 responds with a URL and user code that your device app can use when asking the user to visit a specific URL on their laptop or smartphone and provide an activation code.
  3. Your device app begins to poll your Auth0 Authorization Server for an Access Token.
  4. The user authenticates with Auth0 on its computer or smartphone using one of your configured login options (e.g., username/password, social identity provider, SAML).
  5. Auth0 responds to your device app with an Access Token.
  6. The Access Token can be used to call your API and retrieve requested data.

For devices, Auth0 uses the Device Authorization Flow.

Flow Overview for Device Apps

Implementation overview

  1. 1

    Configure your API

    Once you have created your API, you will need to authorize your device's application and configure any scopes that applications can request during authorization.
  2. 2

    Get an Access Token

    Your device requests an Access Token from your Auth0 Authorization Server using the Device Authorization Flow.
  3. 3

    Call your API

    When your device calls your API, it includes the retrieved Access Token in the HTTP Authorization header.

To implement the Device Authorization Flow, you can follow our tutorial: Call Your API Using the Device Authorization Flow.

Keep reading


API endpoints, libraries, and best practices


Understand the fundamentals

What's next