Hi, @arunb_97
As @orangebucket mentioned, it’s always useful to know what you’re trying to achieve to know you’re on the right track.
It’s a common mistake that users create Webhook SmartApps in the Developer Workspace to use it as API_ONLY apps, but following the OAuth flow with this type of app will cause the reaction you mention since Webhook SmartApps are expected to be installed through the SmartThings app and follow certain lifecycles.
That being said, if what you look for is to have access to users’ devices (for example, sending commands to them, getting their current status, getting subscription events from changes in status, health, etc.) from a third-party source like an external app, you need an API_ONLY app type which is the one described in the documentation as OAuth Integration.
These are the instructions to create an app of this type:
-
The option to create OAuth integrations cannot be found in the Developer Workspace.
-
You need to use the SmartThings CLI to create this type of app
smartthings apps:create
---->The type you need to select is “OAuth-In App”
----> Target URL is the link where you want to receive the subscription events
----> These scopes are the permissions whitelisted from your app, if you use a scope in the “authorize URL” not included in your app’s scopes, you’ll get an error
-----> Add redirect URI because that’s where you’ll receive the authorization code once the user authorizes access to your app. -
You can also use the JSON in this sample as the input for the command.
https://github.com/SmartThingsCommunity/api-app-subscription-example-js?tab=readme-ov-file#2-register-your-smartthings-app -
Then, you need to start the OAuth 2.0 process, which consists of:
-
Show the authorization page to the user by using this URL:
https://api.smartthings.com/oauth/authorize?client_id=clientId_from_app&response_type=code&redirect_uri=redirect_uri_from_app&scope=scopes_from_whitelisted_inApp -
Once the user authorizes access to your app, it’ll redirect you to the “Redirect URI” you configured with the Authorization Code.
-
You’ll exchange this code for an Access Token. This is an example of that request:
curl -X POST "https://api.smartthings.com/oauth/token" -u "clientId_from_app":"clientSecret_from_app" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=clientId_from_app&code=codeReceived&redirect_uri=redirect_uri_from_app" -
The Access Token you get expires in 24 hours.
-
The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.
NOTE: Remember the OAuth integration has a limit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.
-
To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:
- > curl -X POST “https://api.smartthings.com/oauth/token” -u “clientId_from_app”:“clientSecret_from_app” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=clientId_from_app&refresh_token=latest_refresh_token”
Subscriptions in API_ONLY apps
Registering a targetURL isn’t mandatory in this type of application, but if you want to create subscriptions using its installedAppId, you need to include a value for it.
Note: If you have already created your API_ONLY app but didn’t register a value for it, take a look at this post to know how you must update your app to do so: https://community.smartthings.com/t/smartthings-cli-apps-update-type-error-reading-url/303628/5?u=nayelyz
Once you have finished creating the app, you will receive a POST request with a confirmation URL, which you need to copy and paste into your browser or make a GET request using it. This is to “verify” the app so it can receive requests with the subscription events.