The protocol described in the present document is intended for devices with limited input capabilities, such as hybrid radios, IP-connected set top boxes and Smart TVs, that can communicate with web services over HTTPS.

The protocol specifies two APIs:

• the API between a client device and an authorization provider by which a client obtains a bearer token;
• the API between a service provider and an authorization provider by which a service provider verifies an access token.

The present document gives an overview of the protocol (clause 4), covering the core concepts (clause 5) and roles (clause 6) used in CPA and how the device flow works (clause 7).

The CPA APIs are specified in the present document in clauses 8, Client/Authorization Provider API and clause 9, Service Provider/Authorization Provider API.

An informative annex A describes how service providers can tell clients that the option to authenticate using the CPA protocol is available, and how the bearer token obtained via CPA should be used to access protected resources. Although this clause is not normative, it is strongly recommended these conventions are followed where possible to maximize interoperability.