OAuth2 + Device Binding
Scenario: A user attempts to vibrate a connected device using a mobile app or web client.
The app includes a valid OAuth2 Bearer Token in the Authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6...
Backend verifies:
The access token is unexpired and properly signed
The token includes a claim for the device UUID or session
The user has permissions to control the specified device
Failsafe
If the device is already in an active session with another user, the API returns HTTP 403 with a session_conflict error.