As part of SmartThings’ ongoing work to improve our platform and deliver a high-performing and secure smart home experience for our users, we’re making some changes to how personal access tokens (PATs) work.
PATs were originally intended as a way to test and evaluate new integrations and SmartApps on the SmartThings platform. Since SmartThings provided an easy way to generate PATs over 10 years ago, they’ve been used extensively by our developer community to create and share new devices and unique integrations.
Unfortunately, their very nature (easy to generate, very wide scopes/permissions, and basically anonymous) have also become a problem over the years. The use of PATs for long-lived integrations was never their intent and presents a problem for how we manage the platform going forward. They’re a security risk due to the lack of scope restrictions. They’re incredibly opaque - we can’t really tell who’s using them or how, making management of our architecture and development of new features a challenge. There are also better ways to integrate with SmartThings, such as the widely used OAuth2 standard, which provides a much better authentication structure and flow with appropriate scope restrictions.
Starting at the end of December, we’re going to make some proactive changes to how PATs are issued to get back to their original intended uses - for testing, development, and evaluation of the SmartThings platform. As of 30 Dec, we will start restricting the TTL (time to live) of newly issued PATs to 24hrs. We will also lower the rate limits on the /devices endpoint for newly issued PATs. Both of these changes are intended to improve the security of the platform and give us better control over ingress routes to prevent disruption to the whole platform from potential accidental or intentional bad actors.
Two important things to note:
-
These changes only impact newly issued PATs. As of now we’re not making any changes to existing PATs. We know that of the 40k or so PATs in active use, a number of those are being used for critical integrations for users’ locations such as the 20k or so being used for HomeAssistant. We don’t want to break that functionality and before we would consider making any changes to existing PATs, we’d want to have a paved path to keep our users’ locations functioning reliably.
-
If you have an integration that requires generating new PATs for ongoing access, we’d encourage you to refactor that to use an OAuth flow so that it doesn’t rely on issuing new PATs to work in the future.
We’ve tried to design these changes in a way that safeguards the platform but also respects the existing use cases we know about (primarily ones like HomeAssistant, InfluxDB, and development via the CLI). Since the use of PATs is highly opaque to us though, we’d really appreciate discussion from our users on other uses of existing PATs so that we’re aware of those going forward.