Been on the fence about enabling Echo Speaks on my ST setup. I do use Alexa with Virtual Switches and even have an R1 which I can use natively.
The only thing is; I’m a reluctant in using Echo Speaks as the Heroku site proxies the connection to Amazon. During this setup Heroku website actually gains access to our Amazon’s credentials. That’s a security concern.
Should I not be worried of this?
Post your question on the Echo Speaks thread
https://community.smartthings.com/t/release-echo-speaks-v3-actions/173073
I’m sure Anthony will be able to answer your question.
BTW, I enabled two factor Auth on my Amazon account just to prevent compromise on this kind of thing. Prevents bad actors from transporting my creds off of my heroku instance if they can even get them which I’m pretty sure heroku only has a login token. But better security is not a bad thing.
Nice! Just enabled my two-Step verification.
(Forgot about that option) 
One of the nice things about Heroku instances is that memory is cleared as soon as it goes to sleep. So every time it wakes it just like a brand new install and has to get the info from ST
Not at all. It’s only used once to get your cookie and then it’s no longer used until the cookie needs to be refreshed (every 1-5 days).
The serve is pretty dumb in the sense that it can’t retain any session or state memory after it goes to sleep (after 15-30mins of no activity)
Hmm. The fact that it does the request for Amazon credentials directly from Heroku server unease me.
not everything has a malicious intent lurking about… i did the best i could to make it safe but if you are uncomfortable then it sounds likes this great integration is not for you…
the heroku server only proxies the request. you are logging into to amazon and the server can’t see your credentials
The code is all open source if you want to review how it is handling the credentials.
Hey guys I did not mean to offend any one here. I know all you guys intentions are good. I’m not concerned with the coding or the service created by @tonesto7.
My concern was more of a possibility for the hosting services (Heroku) being able to capture the credentials. Nonetheless with @nathancu recommendation of using two-factor that actually put me a little at ease and willing to go all in with Echo Speaks!
Cheers
