OAuth Token Misuse Possible?

Hello everyone,

Given an automation App that turns on light if there is a motion, can the App use the OAuth token generated for the given functionality to send an API request to turn on the light device without receiving a motion event from ST API?

I suppose this App is a Webhook that can also lunch API calls not just a Lambda function that only can make calls upon receiving events

Since the scope of permissions on the oauth token would be execute permission for the device, I would assume the smartapp could execute any command at any time after receiving the token.

There does not seem to be any capability to limit access to commands only after a certain event on another device occurs.
Given the event driven and asynchronous nature of interacting with multiple devices, this kind of coupling would be difficult to implement in a way that is reliable.

1 Like