Device Authorization

OAuth device authorization flow for CLI and TV clients.

This page documents the current Ruby port behavior. Ruby uses snake_case option names and auth.api method names; HTTP paths and JSON keys keep the upstream wire shape where implemented.

Configure

config/auth.rb
require "better_auth"

auth = BetterAuth.auth(
  secret: ENV.fetch("BETTER_AUTH_SECRET"),
  base_url: ENV.fetch("BETTER_AUTH_URL", "http://localhost:3000"),
  plugins: [
    BetterAuth::Plugins.device_authorization
  ]
)

Usage

server.rb
issued = auth.api.device_code(body: { client_id: "cli", scope: "openid profile" })
auth.api.device_approve(headers: { "cookie" => request.env["HTTP_COOKIE"] }, body: { user_code: issued[:user_code] })
token = auth.api.device_token(body: { grant_type: "urn:ietf:params:oauth:grant-type:device_code", device_code: issued[:device_code], client_id: "cli" })

Routes

MethodPathRuby API method
POST/device/codeauth.api.device_code
POST/device/tokenauth.api.device_token
GET/deviceauth.api.device_verify
POST/device/approveauth.api.device_approve
POST/device/denyauth.api.device_deny

Options

Current Ruby options accepted by BetterAuth::Plugins.device_authorization:

  • validate_client
  • generate_device_code
  • device_code_length
  • generate_user_code
  • user_code_length
  • expires_in
  • interval
  • on_device_auth_request
  • verification_uri

Support Notes

  • The examples above are based on Ruby plugin source and tests in packages/better_auth.
  • If an upstream section is not represented here, treat it as not yet documented or not yet supported by the Ruby port until the matching Ruby implementation exists.
Edit on GitHub

Previous Page

Bearer

Next Page

Captcha

On this page