Device Code Flow Playground

OAuth 2.0 Device Authorization Grant (RFC 8628)

This playground implements a complete Device Code Flow. Request a device code, authenticate at the verification URL (simulating the "second screen"), and receive a signed JWT. Useful for testing CLI tools, IoT device auth, and Snowflake External OAuth integrations.

Device (this page) Blog API You (verify page) | | | |-- POST /request --------->| | |<-- device_code, user_code | | | | | | "Go to verify URL and enter: ABCD-1234" | | | | |-- POST /token (poll) ---->| Open verify URL ------>| |<-- authorization_pending |<-- POST /authorize ------| | | (user_code + username) | |-- POST /token (poll) ---->| | |<-- access_token (JWT) ----| |

API Endpoints

GET/api/devicecode/captcha Get captcha challenge

POST/api/devicecode/captcha Verify captcha, get session token

POST/api/devicecode/request Request device code (requires session)

POST/api/devicecode/token Exchange device_code for JWT (requires session)

GET/.well-known/jwks.json JWKS public key for token validation

POST/api/devicecode/aes-key Get AES key (requires Bearer token)

0 Verify You're Human

Solve the captcha to activate the API for your session (10 minutes). This prevents bots from abusing the demo endpoints.

Python Integration Code

Use these scripts to interact with the API programmatically. The session token from the captcha is required for all requests. Your session token: --

Complete device code flow — request, poll, receive token. Requires: pip install requests

Solve the captcha to generate code with your session token.

Validate a received token against JWKS or a public key. Requires: pip install PyJWT cryptography

Complete the flow to generate validation code with your token.

Quick test with curl.

Solve the captcha to generate curl commands with your session token.

1 Signing Key

Choose how the JWT will be signed. Server mode uses the blog's RSA key -- validate tokens against the JWKS endpoint. Client mode generates keys in your browser for fully offline signing.

Server key (JWKS validation) Browser-generated keys

Tokens are signed by the blog's RSA key. Validate against:

https://kevinkeller.org/.well-known/jwks.json

Generating RSA-2048 key pair in your browser...

Private Key (PEM)

Generating...

Public Key (PEM)

Generating...

2 Request Device Code

Click below to request a device code. You'll get a user code and a link to the verification page. Open the link in a new tab (or on your phone) and enter the code there.

Open the verification URL and enter this code:

Open Verification Page →

3 Waiting for Authorization

Polling for authorization... Authenticate on the verification page.

Token received! The device code flow completed successfully.

4 AES-256-CBC Key (Bearer Token Protected)

Exchange your bearer token for a demo AES encryption key. This demonstrates a protected API endpoint that validates the JWT before returning sensitive material.

For testing and demos only. The server's RSA key regenerates on restart. Device codes expire after 10 minutes. Tokens expire after 1 hour. No data is stored permanently. In production, use a real Identity Provider (Okta, Entra ID, Auth0) for device code flows.