Once the device is registered, you can authenticate using OAuth. This means you request a session token, and use it for authentication in the subsequent calls.
The endpoint to request the OAuth token is POST /oauth/token. You need to pass the vendor client credentials, and the device code (as code). The grant type is still device.
POST /oauth/token HTTP/1.1Host: connect-testing.secuconnect.comContent-Type: application/jsonAccept: application/json{ "grant_type": "device", "client_id": "611c00ec6b2be6c77c2338774f50040b", "client_secret": "dc1f422dde755f0b1c4ac04e7efbd6c4c78870691fe783266d7d6c89439925eb", "code": "2429e1d92f2f76cc3bbdc0333457ef25"}If evreything is fine, the API responds with 200 OK, and the token amongst other things:
HTTP/1.1 200 OKContent-Type: application/json...{ "access_token": "c0p22mjoea0vktmfe09r9h1b40", "expires_in": 1200, "token_type": "bearer", "scope": null, "refresh_token": "d3aece0996cee981609cab15653db0e9bc9ef804"}The OAuth access token is found in access_token (line 6). It is valid for 1200 seconds (s. expires_in at line 7). The access token is to be sent in all subequent calls.
Note: There is only one OAuth access token per device session. The former token is invalidated when you create a new one. You should consider the place to store it carefully.
Your system should also memorize the refresh_token. It can be used to create a new token without sending the device code again, as long as the session is valid.