---
title: /oauth2/device/user
description: This is the Device authorization grant endpoint for user interaction.
component: pingoneaic
page_id: pingoneaic:am-oauth2:rest-api-oauth2-device-user
canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/rest-api-oauth2-device-user.html
keywords: ["OAuth 2.0", "API Explorer", "Endpoints", "PKCE"]
page_aliases: ["oauth2-guide:rest-api-oauth2-device-user.adoc"]
---

# /oauth2/device/user

This is the [Device authorization grant](oauth2-device-flow.html) endpoint for user interaction.

Client devices use this endpoint to confirm the resource owner's consent in the following flows:

* Device flow ([OAuth 2.0](oauth2-device-flow.html))

* Device flow with PKCE ([OAuth 2.0](oauth2-device-flow-pkce.html))

Specify the realm in the request URL; for example:

```none
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/device/user
```

The device user endpoint supports the following parameters:

| Parameter      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Required                                                                  |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- |
| `csrf`         | The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks.                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Yes, when gathering consent without a remote consent service              |
| `decision`     | Whether the resource owner consents to the requested access.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Yes, when gathering consent unless consent is already saved for the scope |
| `save_consent` | Whether to store a resource owner's consented scopes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | No                                                                        |
| `scope`        | The scopes linked to the permissions requested by the client from the resource owner.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | No                                                                        |
| `user_code`    | The user code confirmed by the resource owner.The endpoint checks for the `user_code` on the initial request and uses it to retrieve the associated device code to determine if any ACRs were requested. If ACRs were requested, the user authenticates through the specified authentication journey.If a user accesses the endpoint without supplying a `user_code`, the user authenticates through the default authentication journey. If that journey doesn't match the ACRs required by the device request, the user is prompted to reauthenticate after entering the code. | Yes                                                                       |