POST /settings/oauth/:provider/device/poll — exchange the pending device code for a token (the FE polls this at the GitHub-dictated interval until connected).
const url = 'https://example.com/api/settings/oauth/example/device/poll';const options = { method: 'POST', headers: { cookie: 'supacloud_session=<supacloud_session>', 'Content-Type': 'application/json' }, body: '{"state":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/settings/oauth/example/device/poll \ --header 'Content-Type: application/json' \ --cookie supacloud_session=<supacloud_session> \ --data '{ "state": "example" }'Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Device-code OAuth provider name (copilot)
Request Bodyrequired
Section titled “Request Bodyrequired”object
The opaque handle returned by device/start.
Examplegenerated
{ "state": "example"}Responses
Section titled “Responses”Poll outcome: pending / slow_down / connected (with the connection status)
The poll outcome: pending (keep polling at the interval), slow_down (back off),
or connected (the connection status is set and the flow is complete).
object
object
Number of consecutive proactive-refresh failures since the last successful refresh. Frontend uses this to drive the warning state.
#532 (A5) — the underlying agent_oauth_tokens.id, present whenever the status
is backed by a stored token (the /settings/oauth list + per-provider status).
It is the credential id the system-LLM-credential selector pins an oauth_token
by; absent (None) on a freshly-connected/exchanged/disconnected status whose
row id is not in hand.
Last successful or failed proactive refresh attempt timestamp.
Set when the keepalive job has emitted a one-shot expiry notification. Cleared by a subsequent successful refresh.
Examplegenerated
{ "connection": { "account_email": "example", "connected": true, "consecutive_refresh_failures": 1, "expires_at": "2026-04-15T12:00:00Z", "id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "last_refresh_attempt_at": "2026-04-15T12:00:00Z", "notified_expiry_at": "2026-04-15T12:00:00Z", "organization_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "provider": "example", "workspace_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" }, "status": "example"}Structured client error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Authentication required
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Permission denied
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Structured server error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}