OAuth2 Flow for Desktop Application

Developer Programs Support
1

Hi,

Currently I’m developing a Windows Service App. How can I implement OAuth2 flow that can refresh automatically daily? I tried to create Automation App in Developer Workspace but unfortunately it requires WebHook Endpoint which not applicable to desktop app:

Screenshot 2025-06-28 210352
Screenshot 2025-06-28 210352931×554 26 KB

1 Like
2

tagging @nayelyz

1 Like
3

Hi @henoch.setiadi

Could you please share more details about the purpose of the app? The approach may differ based on what the app is meant to achieve.

4

Hi @Itati ,

Windows Service is used to check if Smart Plug ON/OFF compare it with Laptop Battery Level and decide if it is time to Charge or Discharge.

Thanks in advance.

5

Hi @henoch.setiadi

You need an API-ONLY type of app, and the one you created in the Developer Workspace won’t work because it’s not the correct type. I’m sharing the steps below to help you create the right app.

  1. The option to create OAuth integrations cannot be found in the Developer Workspace.
  2. You need to use the SmartThings CLI to create this type of app
  1. You can also use the JSON in this sample as the input for the command.
    GitHub - SmartThingsCommunity/api-app-subscription-example-js: Example API Access SmartApp that shows the state and allows control of devices
  2. Then, you need to start the OAuth 2.0 process which consists on:
  1. The Access Token you get expires in 24 hours.
  2. The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.

NOTE: Remember the OAuth integration has a limit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.

  1. To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:

  2. curl -X POST “https://api.smartthings.com/oauth/token” -u “${clientId_from_app}”:“${clientSecret_from_app}” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=${clientId_from_app}&refresh_token=${latest_refresh_token}”

Example of Access Token response

This is for the cases about creating subscriptions with an API_ONLY app. You only need the installedAppId and the Access Token.

{ "access_token":"41fb5735-d9af-4041-...", "token_type":"bearer", "refresh_token":"f804c515-2afa-4a49-...", "expires_in":85744, "scope":"r:locations:* x:devices:* r:devices:*", "access_tier":0, "installed_app_id":"cac8fb70-4e2c-4630-..." }

Note:

Subscriptions require having a targetURL registered in the app because that’s where you’ll receive the new events.
This will also trigger a CONFIRMATION request (similar to a SmartApp) which means you need to verify the app by making a GET request to that URL to start receiving the events.

7

Thanks for your help @Itati .