Step 1: Authenticate the Device

Once the device is registered, you can authenticate using OAuth. This means you request a session token, and use it for authentication in the subsequent calls.

The endpoint to request the OAuth token is POST /oauth/token. You need to pass the vendor client credentials, and the device code (as code). The grant type is still device.

POST /oauth/token HTTP/1.1
Content-Type: application/json
Accept: application/json
"grant_type": "device",
"client_id": "611c00ec6b2be6c77c2338774f50040b",
"client_secret": "dc1f422dde755f0b1c4ac04e7efbd6c4c78870691fe783266d7d6c89439925eb",
"code": "2429e1d92f2f76cc3bbdc0333457ef25"

If evreything is fine, the API responds with 200 OK, and the token amongst other things:

HTTP/1.1 200 OK
Content-Type: application/json
"access_token": "c0p22mjoea0vktmfe09r9h1b40",
"expires_in": 1200,
"token_type": "bearer",
"scope": null,
"refresh_token": "d3aece0996cee981609cab15653db0e9bc9ef804"

The OAuth access token is found in access_token (line 6). It is valid for 1200 seconds (s. expires_in at line 7). The access token is to be sent in all subequent calls.

Note: There is only one OAuth access token per device session. The former token is invalidated when you create a new one. You should consider the place to store it carefully.

Your system should also memorize the refresh_token. It can be used to create a new token without sending the device code again, as long as the session is valid.