POST to the device authorization endpoint (advertised as device_authorization_endpoint in discovery metadata) with client_id and scope to receive device_code, user_code, verification_uri, and optionally interval and expires_in.
Display the user_code and verification_uri (or verification_uri_complete if available) to the user on the device; the user visits the URI on a separate device to enter the code.
Begin polling the token endpoint with grant_type=urn:ietf:params:oauth:grant-type:device_code, client_id, and device_code; wait at least the number of seconds specified by the interval parameter (default 5 if not provided) between polls.
On authorization_pending response, continue polling; on slow_down response, increase your polling interval by 5 seconds and continue.
On a successful response, store the access token and refresh token; on an expired_token or access_denied response, cancel polling and prompt the user to restart.
Implement a total timeout based on the expires_in value from the device authorization response; stop polling after that duration regardless of status.
Known gotchas
Polling faster than the interval results in a slow_down error; each slow_down increases the required interval by 5 seconds — aggressive polling can rapidly push the interval to unusable lengths.
device_code is a server-side opaque identifier sent in the POST body to the token endpoint; the user_code is only for the human user on the secondary device — do not confuse the two.
Device codes expire (typically in 5-15 minutes depending on the server); display the expiry to the user so they know how long they have to complete authorization on the secondary device.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp