A pending RFC 8628 device authorization grant, keyed in the store by its
device_code and reachable for the browser approval step through a separate
user_code index.
Cap on how many times one grant’s user_code may be brought to the consent
step before it self-invalidates (RFC 8628 §5.1 per-code attempt cap / §5.4
possession limit), generous enough for a page reload.
RFC 8628 §6.1 base-20 alphabet: uppercase consonants only, so a user can
type the code without modifier keys and without forming words or hitting a
confusable digit.
user_code length. Ten base-20 characters is ~43 bits: with the always-on
per-IP throttle over the grant lifetime that keeps a single source well
under the RFC 8628 §5.1 brute-force ceiling, while staying short enough to
type.