Call Your API from an Input-Constrained Device

Using Auth0 in your applications means that you will be "outsourcing" the authentication process to a centralized login page in the same way that Gmail, YouTube, and any other Google property redirects to accounts.google.com whenever a user signs in.

With input-constrained devices, however, rather than immediately authenticating the user, the device asks the user to go to a link on their computer or smartphone to authenticate. This avoids a poor user experience for devices that do not have an easy way to enter text. If you’ve ever signed in to your Netflix account on a device like a Roku, you’ve already encountered this workflow.

Your user will authenticate on their computer or smartphone, and Auth0 will generate an Access Token that will be passed back to your device application. The Access Token can then be used to call your API.

This flow can be used with native applications only.

When your app needs to fetch user data from your API:

1. If the device is not already authorized, your device app calls your Auth0 Authorization Server to retrieve a device code.
2. Auth0 responds with a URL and user code that your device app can use when asking the user to visit a specific URL on their laptop or smartphone and provide an activation code.
3. Your device app begins to poll your Auth0 Authorization Server for an Access Token.
4. The user authenticates with Auth0 on its computer or smartphone using one of your configured login options (e.g., username/password, social identity provider, SAML).
5. Auth0 responds to your device app with an Access Token.
6. The Access Token can be used to call your API and retrieve requested data.

For devices, Auth0 uses the Device Authorization Flow.

To implement the Device Authorization Flow, you can follow our tutorial: Call Your API Using the Device Authorization Flow.