Skip to content


[Smart device] Register

Device starts a register process by sending a few information about itself

curl -X "POST" "http://IDP_HOST/register" \
     -H 'Content-Type: application/json' \
     -d $'{
  "software_id": "cpa-test-client",
  "software_version": "1.0.0",
  "client_name": "My test device"

Should respond with a 'client_id' and a 'client_secret'.


[Smart device] Associate

Now device request an association code

curl -X "POST" "http://IDP_HOST/associate" \
     -H 'Content-Type: application/json ' \
     -d $'{
  "client_id": "123",
  "client_secret": "12312312312312312312312312312312",
  "domain": ""

Should respond with a code and a validation uri


[Smart device] Polling

After device has requested association, it starts pooling the service waiting for the user for a web validation

curl -X "POST" "http://IDP_HOST/token" \
     -H 'Content-Type: application/json' \
     -H 'Cookie: identity.provider.sid=s%3AaD2HUH8GiRy1-IbJxuyNipRjjgD0qsZy.GsjSJ8w%2FMEiCtHLsDmWdpi566szp3ONEezi7WYkJfzA' \
     -d $'{
  "client_id": "123",
  "domain": "",
  "device_code": "12345678-1234-1234-1234-123456789abc",
  "client_secret": "12312312312312312312312312312312",
  "grant_type": ""

Server should respond authorization_pending as soon as the user hasn't "verified" device code


[User browser] verify device code

User may go to validation url (see [Device] Associate) and validate the code (user has to be logged in)

In current sample url is http://IDP_HOST/verify and code is 1234567

Another way is to create an URI for direct verification, e.g. for QR-Codes. Issue a GET request to the IDP and add user_code and redirect_uri as get parameters, for example: http://IDP_HOST/verify?user_code=1234567&redirect_uri=/profile. This will show a verification screen without the need to type in the code and redirect to the given uri after the user accepted or declined the pairing request.

[Smart device] Obtain a bearer token

As soon as the user has validated the code, the pooling request should returns

   "user_name":"John Doe"

accessing a secured service

GET History

User can access history or playlist authenticated API. Those API support several Autorization: Bearer <token> mode (oAuth otken or cpa token). So user has to provide an additional header to tell API to check the token against cpa: Token-Type: cpa

curl "http://HISTORY_API_HOST_/historyapi" \
     -H 'Authorization: Bearer 123456789abcdef123456789abcdef12' \
     -H 'Token-Type: cpa'

Should respond with some history data: