Device authorization
Connect an agent without copying a permanent key.
The agent starts a device request, the operator approves it in Vera and selects a project, then the agent receives a 15-minute access token and a rotating refresh token. An active subscription is required throughout.
Start
Ask Vera for a user code.
Show the returned code and open the verification URL. Device codes expire after ten minutes and must be treated as secrets by the requesting agent.
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/code \
> -H "Content-Type: application/json" \
> -d '{ "client_name": "Acme prospecting agent" }'Approve
Let the operator choose the project in the browser.
Vera requires Google sign-in, an active subscription, and an owned project. Approval never exposes the operator's Google or billing credentials to the agent.
Exchange
Poll at the requested interval until approved.
Respect interval. Vera returns authorization_pending while waiting andslow_down when a client polls too quickly. A device code can be exchanged only once.
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/token \
> -H "Content-Type: application/json" \
> -d '{
> "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
> "device_code": "vdc_..."
> }'Rotate
Refresh before the access token expires.
Every refresh rotates both tokens. Store the replacement pair atomically. Refresh is blocked when the subscription is inactive, the project is archived, or the session is revoked.
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/refresh \
> -H "Content-Type: application/json" \
> -d '{ "grant_type": "refresh_token", "refresh_token": "vdr_..." }'