Authenticate with CipherStash services using the OAuth 2.0 Device Authorization Grant.

This crate implements the device code flow, which lets CLI tools and other browserless applications obtain an access token by having the user authorize in a browser on another device.

Usage

use stack_auth::DeviceCodeStrategy;
use cts_common::Region;

# async fn run() -> Result<(), Box<dyn std::error::Error>> {
// 1. Create a strategy for your region and client ID
let region = Region::aws("ap-southeast-2")?;
let strategy = DeviceCodeStrategy::new(region, "my-client-id")?;

// 2. Begin the device code flow
let pending = strategy.begin().await?;

// 3. Show the user their code and where to enter it
println!("Go to: {}", pending.verification_uri_complete());
println!("Code:  {}", pending.user_code());

// Or open the browser directly:
pending.open_in_browser();

// 4. Poll until the user authorizes (or the code expires)
let token = pending.poll_for_token().await?;

// 5. Use the access token to call CipherStash APIs
println!("Authenticated! Token expires in {}s", token.expires_in());
# Ok(())
# }

Security

Sensitive values ([SecretToken]) are automatically zeroized when dropped and are masked in Debug output to prevent accidental leaks in logs.