Authorization Token is Safe?

For Using Samsung SmartThings API, Developer have to get a Authorization Token from Samsung.

And The Token looks like a UUID Token;

I Think, because the token does not have limit Time, If the Token is taked over, Hacker can send Abusing Command Messege to Devicde

How do Samsung ensure security against these issues?

They give you big red ‘Delete’ buttons on the site where you created the token. I find that adequate.

1 Like

but Isn’t it already too late when the tokens are stolen?

Is there any meaning in pressing the delete button?

Yes, the token gets deleted and stops working immediately.

It isn’t a self-contained token. It gets looked up server side.

I’m curious why Samsung SmartThings API don’t use the accessToken/refreshToken system
why use only accessToken without token expireTime

Access tokens in SmartThings apps are either temporary (five minutes) or last 24 hours and can be refreshed.

For testing and scripts the longer lasting tokens are a much better idea. You just need to look after them.

1 Like