diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c4f6f68..146f9f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: ['1.21', '1.22', '1.23']
+        go: ['1.23', '1.24']
     name: Go ${{ matrix.go }} test
     steps:
       - uses: actions/checkout@v4
diff --git a/README.md b/README.md
index 04d551f..bc346f5 100644
--- a/README.md
+++ b/README.md
@@ -156,10 +156,9 @@ Versions that also build are marked with :warning:.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| <1.21   | :x:                |
-| 1.21    | :warning:          |
-| 1.22    | :white_check_mark: |
+| <1.23   | :x:                |
 | 1.23    | :white_check_mark: |
+| 1.24    | :white_check_mark: |
 
 ## Why another library
 
diff --git a/go.mod b/go.mod
index 70ace65..d92ef02 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/zitadel/oidc/v3
 
-go 1.21
+go 1.23.7
 
 require (
 	github.com/bmatcuk/doublestar/v4 v4.8.1
diff --git a/pkg/op/device.go b/pkg/op/device.go
index 8a0e174..b7290cd 100644
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@@ -91,10 +91,7 @@ func createDeviceAuthorization(ctx context.Context, req *oidc.DeviceAuthorizatio
 	}
 	config := o.DeviceAuthorization()
 
-	deviceCode, err := NewDeviceCode(RecommendedDeviceCodeBytes)
-	if err != nil {
-		return nil, NewStatusError(err, http.StatusInternalServerError)
-	}
+	deviceCode, _ := NewDeviceCode(RecommendedDeviceCodeBytes)
 	userCode, err := NewUserCode([]rune(config.UserCode.CharSet), config.UserCode.CharAmount, config.UserCode.DashInterval)
 	if err != nil {
 		return nil, NewStatusError(err, http.StatusInternalServerError)
@@ -163,11 +160,14 @@ func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuth
 // results in a 22 character base64 encoded string.
 const RecommendedDeviceCodeBytes = 16
 
+// NewDeviceCode generates a new cryptographically secure device code as a base64 encoded string.
+// The length of the string is nBytes * 4 / 3.
+// An error is never returned.
+//
+// TODO(v4): change return type to string alone.
 func NewDeviceCode(nBytes int) (string, error) {
 	bytes := make([]byte, nBytes)
-	if _, err := rand.Read(bytes); err != nil {
-		return "", fmt.Errorf("%w getting entropy for device code", err)
-	}
+	rand.Read(bytes)
 	return base64.RawURLEncoding.EncodeToString(bytes), nil
 }
 
diff --git a/pkg/op/device_test.go b/pkg/op/device_test.go
index 570b943..5fd9c9b 100644
--- a/pkg/op/device_test.go
+++ b/pkg/op/device_test.go
@@ -145,21 +145,11 @@ func runWithRandReader(r io.Reader, f func()) {
 }
 
 func TestNewDeviceCode(t *testing.T) {
-	t.Run("reader error", func(t *testing.T) {
-		runWithRandReader(errReader{}, func() {
-			_, err := op.NewDeviceCode(16)
-			require.Error(t, err)
-		})
-	})
-
-	t.Run("different lengths, rand reader", func(t *testing.T) {
-		for i := 1; i <= 32; i++ {
-			got, err := op.NewDeviceCode(i)
-			require.NoError(t, err)
-			assert.Len(t, got, base64.RawURLEncoding.EncodedLen(i))
-		}
-	})
-
+	for i := 1; i <= 32; i++ {
+		got, err := op.NewDeviceCode(i)
+		require.NoError(t, err)
+		assert.Len(t, got, base64.RawURLEncoding.EncodedLen(i))
+	}
 }
 
 func TestNewUserCode(t *testing.T) {