---
title: Device authorization through mobile applications
description: In addition to initiating a regular OAuth authorization flow, mobile applications and single-page web applications can use the authentication API to initiate and complete the user authorization side of the OAuth device authorization flow.
component: pingfederate
version: 13.1
page_id: pingfederate:developers_reference_guide:pf_device_authorization_through_mobile_applications
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_device_authorization_through_mobile_applications.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: February 6, 2023
---

# Device authorization through mobile applications

In addition to initiating a regular OAuth authorization flow, mobile applications and single-page web applications can use the authentication API to initiate and complete the user authorization side of the OAuth [device authorization](../introduction_to_pingfederate/pf_device_auth_grant.html) flow.

There are a few differences between this case and the non-device case:

* You don't need to select **Allow Authentication API Redirectless Mode** on the **Client** window for the OAuth device client because the mobile or single-page web application doesn't receive tokens at the end of the flow.

* For the same reason, in the case of web applications, you don't need to enable **Allow Redirectless Mode** on the **Authentication Application** window when configuring the authentication API application.

* The initial request is made to the user authorization endpoint `/as/user_authz.oauth2` rather than `/as/authorization.oauth2`. As with the non-device flow, you must specify `pi.flow` for the `response_mode`. Optionally, the initial request can also provide the `user_code`. This endpoint doesn't need any other parameters.

* At the end of the flow, the `OAUTH_DEVICE_COMPLETED` state is returned to the API client. This response doesn't include an authorization code or tokens.

As with the non-device flow, you must select **Bypass Authorization Approval** on the **Client** window for the device client because the PingFederate authentication API does not yet support the OAuth consent approval step.

The models and actions for the `OAUTH_DEVICE_USER_CODE_REQUIRED`, `OAUTH_DEVICE_USER_CODE_CONFIRMATION_REQUIRED`, and `OAUTH_DEVICE_COMPLETED` states are documented in the [Authentication API Explorer](pf_exploring_authentication_api.html) under the PingFederate Core adapter.