Device authorization

Connect an agent without copying a permanent key.

The agent starts a device request, the operator approves it in Vera and selects a project, then the agent receives a 15-minute access token and a rotating refresh token. An active subscription is required throughout.

Start

Ask Vera for a user code.

Show the returned code and open the verification URL. Device codes expire after ten minutes and must be treated as secrets by the requesting agent.

Create device request
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/code \
>   -H "Content-Type: application/json" \
>   -d '{ "client_name": "Acme prospecting agent" }'

Approve

Let the operator choose the project in the browser.

Vera requires Google sign-in, an active subscription, and an owned project. Approval never exposes the operator's Google or billing credentials to the agent.

Exchange

Poll at the requested interval until approved.

Respect interval. Vera returns authorization_pending while waiting andslow_down when a client polls too quickly. A device code can be exchanged only once.

Exchange device code
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/token \
>   -H "Content-Type: application/json" \
>   -d '{
>     "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
>     "device_code": "vdc_..."
>   }'

Rotate

Refresh before the access token expires.

Every refresh rotates both tokens. Store the replacement pair atomically. Refresh is blocked when the subscription is inactive, the project is archived, or the session is revoked.

Rotate tokens
$ curl -X POST https://api-vera.symph.ai/v1/auth/device/refresh \
>   -H "Content-Type: application/json" \
>   -d '{ "grant_type": "refresh_token", "refresh_token": "vdr_..." }'