> ## Documentation Index
> Fetch the complete documentation index at: https://docs.photon.codes/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange device code for token

> Poll this endpoint with `device_code` until the user approves the request. Follows [RFC 8628 §3.4](https://datatracker.ietf.org/doc/html/rfc8628#section-3.4). While the user has not yet approved, the response is `400` with `error: authorization_pending`. Poll at most once per `interval` seconds, or you'll receive `slow_down`.



## OpenAPI

````yaml /api-reference/dashboard-openapi.json post /api/auth/device/token
openapi: 3.0.3
info:
  title: Photon Dashboard API
  version: 0.1.0
  description: >-
    Authenticated REST API for the Photon Dashboard. Used by the web app and the
    `photon` CLI. Only the public-surface endpoints are listed here today.
servers:
  - url: https://app.photon.codes
security: []
tags:
  - name: Projects
    description: Project CRUD and Spectrum credentials.
  - name: Device login
    description: RFC 8628 device authorization flow used by the CLI.
paths:
  /api/auth/device/token:
    post:
      tags:
        - Device login
      summary: Exchange device code for token
      description: >-
        Poll this endpoint with `device_code` until the user approves the
        request. Follows [RFC 8628
        §3.4](https://datatracker.ietf.org/doc/html/rfc8628#section-3.4). While
        the user has not yet approved, the response is `400` with `error:
        authorization_pending`. Poll at most once per `interval` seconds, or
        you'll receive `slow_down`.
      operationId: deviceToken
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - grant_type
                - device_code
                - client_id
              properties:
                grant_type:
                  type: string
                  enum:
                    - urn:ietf:params:oauth:grant-type:device_code
                device_code:
                  type: string
                client_id:
                  type: string
      responses:
        '200':
          description: >-
            User has approved. Session is returned; the `set-auth-token`
            response header carries the bearer token to use for subsequent
            calls.
          content:
            application/json:
              schema:
                type: object
                properties:
                  session:
                    type: object
                  user:
                    type: object
        '400':
          description: Pending, denied, or otherwise failed.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    enum:
                      - authorization_pending
                      - slow_down
                      - expired_token
                      - access_denied
                      - invalid_request
                      - invalid_grant
                  error_description:
                    type: string

````