nayelyz
June 2, 2026, 10:43pm
6
Yes, this was applied in December 2024. Here’s the announcement about it:
As part of SmartThings’ ongoing work to improve our platform and deliver a high-performing and secure smart home experience for our users, we’re making some changes to how personal access tokens (PATs) work.
PATs were originally intended as a way to test and evaluate new integrations and SmartApps on the SmartThings platform. Since SmartThings provided an easy way to generate PATs over 10 years ago, they’ve been used extensively by our developer community to create and share new devices and unique integrations.
Unfortunately, their very nature (easy to generate, very wide scopes/permissions, and basically anonymous) have also become a problem over the years. The use of PATs for long-lived integrations was never their intent and presents a problem for how we manage the platform going forw…
Pravin81:
Is there a supported long-term authentication method for personal automations that does not require manually generating a new token every day?
Not for now; the only way to bypass the manual generation is by using the API_ONLY app and the OAuth flow where you can schedule a request to refresh the token.
Here I’ll share some steps that we provide when working with OAuth Integrations:
The option to create OAuth integrations cannot be found in the Developer Workspace.
You need to use the SmartThings CLI to create this type of app
Command:smartthings apps:create
You can also use the JSON in this sample as the input for the command.GitHub - SmartThingsCommunity/api-app-subscription-example-js: Example API Access SmartApp that shows the state and allows control of devices
Then, you need to start the OAuth 2.0 process which consists on:
Show the authorization page to the user by using this URL:https://api.smartthings.com/oauth/authorize?client_id=clientId_from_app&response_type=code&redirect_uri=redirect_uri_from_app&scope=scopes_from_whitelisted_inApp
Once the user authorizes access to your app, it’ll redirect you to the “Redirect URI” you configured with the Authorization Code.
You’ll exchange this code for an Access Token. This is an example of that request:curl -X POST "https://api.smartthings.com/oauth/token" -u "clientId_from_app":"clientSecret_from_app" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=clientId_from_app&code=codeReceived&redirect_uri=redirect_uri_from_app"
The Access Token you get expires in 24 hours.
The Refresh Token expires in 29 days if not used . We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.
NOTE: Remember the OAuth integration has a limit of 500 installations by default . Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.
To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:
curl -X POST “https://api.smartthings.com/oauth/token ” -u “clientId_from_app”:“clientSecret_from_app” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=clientId_from_app&refresh_token=latest_refresh_token”
Subscriptions in API_ONLY apps
Registering a targetURL isn’t mandatory in this type of application, but if you want to create subscriptions using its installedAppId, you need to include a value for it.
Note: If you have already created your API_ONLY app but didn’t register a value for it, take a look at this post to know how you must update your app to do so: SmartThings CLI apps:update Type Error (reading ‘url’)
Once you have finished creating the app, you will receive a POST request with a confirmation URL, which you need to copy and paste into your browser or make a GET request using it. This is to “verify” the app so it can receive requests with the subscription events.