> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/knowledge-base/how-to-articles/obtain-rest-api-access-in-a-user-context.md). # Obtain REST API access in a user context For some scenarios, you might need to get REST API access in a user context by using the device authorization flow. The steps to set this up have been documented in PowerShell, but any language will do. Here is how it works: 1. Query the well-known OpenID configuration endpoint to retrieve the server’s token and device authorization endpoints: ```powershell try { $wellKnownResponse = Invoke-RestMethod -Method Get -Uri $wellKnownEndpoint $tokenEndpoint = $wellKnownResponse.token_endpoint $deviceCodeEndpoint = $wellKnownResponse.device_authorization_endpoint } catch { Write-Error "Error obtaining server information" exit } ``` 2. Send a request to the device authorization endpoint for a device code, a user code, a verification URL, and a complete verification URL, as well as details regarding how long the codes are valid and how often to check. Then, either open a browser to the complete verification URL, or direct the user to manually enter their or her user code and approve the device access request: ```powershell $body = "client_id=$clientId&scope=$([uri]::EscapeDataString($scope))" try { $deviceCodeResponse = Invoke-RestMethod -Method Post -Uri $deviceCodeEndpoint ` -ContentType "application/x-www-form-urlencoded" -Body $body } catch { Write-Error "Failed to obtain device code: $_" exit } # Extract values from the response (field names may vary by provider) $device_code = $deviceCodeResponse.device_code $user_code = $deviceCodeResponse.user_code $verification_uri = $deviceCodeResponse.verification_uri $verification_uri_complete = $deviceCodeResponse.verification_uri_complete $interval = 10 # in seconds $expires_in = $deviceCodeResponse.expires_in # in seconds # Provide a default interval if none was returned or if it's zero/null if (-not $interval -or $interval -eq 0) { $interval = 5 Write-Host "Interval not provided or invalid; defaulting to $interval seconds." } # Instead of instructing the user, open the browser to the verification_uri_complete if ($verification_uri_complete) { Write-Host "Opening browser for device authorization..." Start-Process $verification_uri_complete } else { Write-Host "verification_uri_complete not provided. Please manually go to $verification_uri and enter the code: $user_code" } ``` 3. Start a loop that periodically sends a request to the token endpoint with the device code and client ID until the server returns an access token: ```powershell $startTime = Get-Date $tokenResponse = $null while (((Get-Date) - $startTime).TotalSeconds -lt $expires_in) { Start-Sleep -Seconds $interval try {# Build the POST body to exchange the device code for an access token $tokenBody = "grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=$clientId&device_code=$device_code" $tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $tokenBody if ($tokenResponse.access_token) { Write-Host "Access token obtained:" $tokenResponse.access_token break } } catch {# Instead of reading the response content (which may be disposed), use the exception message. $errorMessage = $_.Exception.Message # Check if the exception message indicates that authorization is still pending. if ($errorMessage -match "authorization_pending") { Write-Host "Authorization pending..." continue } else { Write-Error "Error during token polling: $errorMessage" break } } } if (-not $tokenResponse -or -not $tokenResponse.access_token) { Write-Host "Failed to obtain an access token or authorization expired." } ``` 4. When needed, use the refresh token obtained during step #1 to request a new token from the token endpoint, ensuring continued access to the application: ```powershell $body = "grant_type=refresh_token&authorization=bearer $($tokenResponse.access_token)&refresh_token=$($tokenResponse.refresh_token)&client_id=dvls" try { $refreshResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body if ($refreshResponse.access_token) { Write-Host "Access token obtained:" $tokenResponse.access_token break } } catch { Write-Error "Failed to obtain device code: $_" exit } ``` {% hint style="info" %} See [Okta's documentation](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) for more information on the Device Authorization Flow. {% endhint %} ### See also * [REST API documentation](https://docs.devolutions.net/server/web-interface/utilities/api-documentation/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/server/knowledge-base/how-to-articles/obtain-rest-api-access-in-a-user-context.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.