Say I want to make an access control smartapp for all the devices in the home. So nobody can send commands unless it’s specified in the access control. Ignoring the authentication aspect of this scenario, how would one go about building the smartapp?
What jkp is mentioning above, is you don’t give them direct access to SmartThings. You use one of the web panel applications he linked to and only send them the URL for those panels.