# `AttestoPhoenix.Controller.DeviceAuthorizationController`
[🔗](https://github.com/XukuLLC/attesto_phoenix/blob/v0.19.1/lib/attesto_phoenix/controller/device_authorization_controller.ex#L1)

OAuth 2.0 Device Authorization Endpoint (RFC 8628 §3.1).

Handles `POST /oauth/device_authorization`. This module owns the HTTP framing
only: it resolves the host `%AttestoPhoenix.Config{}`, applies no-store cache
headers, authenticates the client (RFC 6749 §2.3 — public clients are admitted,
since a browserless device with no secret is the point of the grant), lifts the
request and the DPoP facts into a plain
`AttestoPhoenix.AuthorizationServer.DeviceAuthorization.Request`, calls the
conn-free core, and renders the RFC 8628 §3.2 JSON response (or an RFC 6749 §5.2
error). Every grant/binding decision lives in the core.

The endpoint is served only when the host enables the grant
(`device_authorization: [enabled: true]`); otherwise it responds
`invalid_request` (the route should not be mounted at all when disabled).

# `create`

```elixir
@spec create(Plug.Conn.t(), map()) :: Plug.Conn.t()
```

---

*Consult [api-reference.md](api-reference.md) for complete listing*