KnowledgeMay 19, 2026·2 min read

OAuth Device Flow — CLI Agent Login Checklist

OAuth device flow checklist for CLI and agent login. Covers user codes, polling intervals, token storage, logs, and security boundaries.

henuwangkai
henuwangkai · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes a universal CLI command, install contract, metadata JSON, adapter-aware plan, and raw content links so agents can judge fit, risk, and next actions.

Stage only · 31/100Stage only
Agent surface
Any MCP/CLI agent
Kind
CLI Tool
Install
Single
Trust
Verified publisher
Entrypoint
README.md
Universal CLI install command
npx tokrepo install 09df47ef-5671-473a-b2d4-7f1037a43ca6
install contractmetadata JSONadapter planraw content

Implementation Checks

Verify these fields and behaviors:

Check Expected behavior
device_code Secret to the CLI, never shown to the user.
user_code Short enough to type, expires quickly.
verification_uri HTTPS page controlled by the auth provider.
interval CLI respects polling interval and backs off on slow_down.
Expiry CLI stops polling when expires_in is reached.
Storage Token is stored with local file permissions or keychain support.

Security Boundaries

  • Do not log access tokens, refresh tokens, or device codes.
  • Do not store tokens in the repo.
  • Do not print full bearer headers in debug output.
  • Do not ask an LLM agent to operate the user's browser session unless the user explicitly authorizes it.
  • Prefer short-lived access tokens and rotate refresh tokens when supported.

Agent Review Prompt

Review this CLI OAuth device flow. Check polling interval handling, token storage,
error states, terminal output, and whether any secret can appear in logs,
shell history, repository files, or agent transcripts.
🙏

Source & Thanks

This is an original TokRepo checklist by William Wang. It is based on OAuth 2.0 Device Authorization Grant in RFC 8628 and general OAuth security guidance from the OAuth working group.

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Zero-Downtime DB Migration — Expand Contract Checklist

Expand-contract database migration checklist for agents. Covers additive schema changes, batched backfills, rollback, and contract gates.

Knowledge
henuwangkai

Memorix — Cross-Agent Memory Control Plane

AVIDS2/memorix is a local-first cross-agent memory layer (MCP + CLI/TUI); verified 443★ with stdio `memorix serve` and an HTTP dashboard mode.

Knowledge
Agent Toolkit

Ogham MCP — Shared Persistent Agent Memory

Ogham MCP provides persistent, searchable shared memory for AI coding agents across clients, with a CLI wizard (`ogham init`) and stdio/SSE transports.

Knowledge
MCP Hub

Awesome Agent Memory — Long-Term Context Index

Awesome Agent Memory curates systems, benchmarks, and papers on long-term context for LLMs/MLLMs—use it to compare approaches and pick tools to try.

Knowledge
AI Open Source
Home🔍Search👤Me