The authentication works with the grant type device_pin and the corresponding field for it. It uses the common endpoint POST /oauth/token.

Request
POST /api/v2/Smart/Device/SDV_8ZKMSAQ30VNH1WE6EGFJCCG4BCSAML/DevicePin HTTP/1.1
Host: connect-testing.secupay-ag.de
Authorization: Bearer qb56tjj1bcvo9n2nj4u38k84lo
Accept: application/json
 
{
"grant_type": "device_pin",
"client_id": "e3323efa4fb2c4e8562adcdbfe9acf41",
"client_secret": "44640a4323db70c1b87dcbe27672a997eb98dad04d8e4caf942da70f77841f8d",
"uuid": "/vendor/ingenico/serial/17275wl26695664",
"device_pin": "CxajtF94uLi4s7d3"
}

If the Smart Device ID is valid, the API responds with 200 OK, and the wanted tokens:

Response
HTTP/1.1 200 OK
Content-Type: application/json
 
{
"access_token": "7vfogs9bpol1dv2yvl5gqmpl0g",
"expires_in": 1200,
"token_type": "bearer",
"scope": null
}

If not successful, it responds with 400 Bad Request, and a simple error response.