Step 1: Authenticate the Device
Once the device is registered, you can authenticate using OAuth. This means you request a session token, and use it for authentication in the subsequent calls.
The endpoint to request the OAuth token is POST /oauth/token. You need to pass the vendor client credentials, and the device code (as code). The grant type is still device.
POST /oauth/token HTTP/1.1
If evreything is fine, the API responds with 200 OK, and the token amongst other things:
HTTP/1.1 200 OK
The OAuth access token is found in access_token (line 6). It is valid for 1200 seconds (s. expires_in at line 7). The access token is to be sent in all subequent calls.
Note: There is only one OAuth access token per device session. The former token is invalidated when you create a new one. You should consider the place to store it carefully.
Your system should also memorize the refresh_token. It can be used to create a new token without sending the device code again, as long as the session is valid.