OAuth2 Parameters for API Calls

I would like to use the API for monitoring my devices. For this I have to authorise with OAuth2 and have got

Missing informations are

  • redirect URI
  • state

Where can I get these?


The ST documentation linked below has the api end points to use in order to interact with devices including requesting their state.

The Postman app is really useful when trying to figure out how to interact with ST api (if you have an iPad, ‘API Tested’ is a great app to send api commands, it’s much easier to learn than Postman)

What platform/system are you trying to use to monitor your devices?

I use an orangepi (similar to a Rasperry Pi) and Python3.
REST API calls are familar to me. My question is about OAuth2. For OAuth I have to follow a 3 stage login process using some parameters.
First stage needs a “redirect URL” and “state”. Where do I find these?


I’m not sure about 3 stage login process.

I’m interacting with ST api with an arduino using C/C++ and don’t do anything beyond sending a bearer token with my pat in the header for both Get and Post requests. Below is the code I use

switch (reqType) {
case RuleExecute:
_SSLClient->print(“POST /v1/rules/execute/”); _SSLClient->print(Id);
_SSLClient->print(“?locationId=”); _SSLClient->print(_locId); _SSLClient->println(" HTTP/1.1");
case SceneExecute:
_SSLClient->print(“POST /v1/scenes/”); _SSLClient->print(Id); _SSLClient->print(“/execute”);
_SSLClient->print(“?locationId=”); _SSLClient->print(_locId); _SSLClient->println(" HTTP/1.1");
case DeviceOnOff: case GetDeviceStatus:
_SSLClient->print(“GET /v1/devices/”); _SSLClient->print(Id);
reqType == DeviceOnOff ? _SSLClient->print(“/health”) : _SSLClient->print(“/status”);
_SSLClient->print(“?locationId=”); _SSLClient->print(_locId); _SSLClient->println(" HTTP/1.1");
case DeviceCntrl:
_SSLClient->print(“POST /v1/devices/”); _SSLClient->print(Id); _SSLClient->println(“/commands HTTP/1.1”);
case Weather:
_SSLClient->print(“GET /v1/services/coordinate/locations/”); _SSLClient->print(Id);
Serial.println(" - Unknown request type");
_SSLClient->print("Accept: "); _SSLClient->println(“application/json”);
_SSLClient->println(“Content-Type: application/json”);
_SSLClient->print("Content-Length: "); _SSLClient->println(contentLength);
_SSLClient->print("Host: "); _SSLClient->println(_STServer);
_SSLClient->println(“User-Agent: Arduino/1.0”);
_SSLClient->print("Authorization: Bearer "); _SSLClient->println(_PAT);
_SSLClient->println(“Connection: close”);

The uri for the ST server is
const char STServer = “api.smartthings.com”;

And I set up SSLClient I set is on port 443
STControl myHome(&wifiSSLClient, STServer, locId, stPAT, responseBuf, &WDTReset);

Which calls in my library
STControl(Client* SSLClient, const char* STServer, const char* locId, const char* PAT, char* responseBuf, void (*cbPtr)() = NULL) :

The hint for PAT with the bearer helps a lot. Thank you.
These python lines gives me access to the list of devices:

url = f"https://api.smartthings.com/v1/devices"
my_headers = {‘Authorization’ : ‘Bearer xxxxxxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxxx’}
dataHTTPResponse = requests.get(url, timeout=5, headers=my_headers)

The 3 stages are not necessary when using this header. Maybe I just read to much about OAuth2 and overlooked the easy way.

I believe OAuth is only needed for authenticating Webhook SmartApps as described here

When reading API | Developer Documentation | SmartThings carefully there is the same information. But I just focussed on “OAuth2” and ignored the conditions when this is needed (third-party integrations or SmartApps). In the next paragraph the non-SmartApp access is described.

1 Like

It’s never been particularly clear. There was a time when SmartApp was used in about seven different ways.

As you have probably noticed, when they are talking about ‘OAuth’ apps they are really about what their API calls API_ONLY apps, which I think also get called ‘API Access’ apps. Other terminology is probably available. They are what you’d use to link platforms like SharpTools or ActionTiles to SmartThings. As a developer you have to get very involved in the OAuth side of things with those.

When you are using Personal Access Tokens in REST client applications you are still using OAuth. However SmartThings has taken care of that side of things for you and your involvement is asking for the right token in the first place and then sticking it in the Authorization header. You don’t need to really know that OAuth is involved.

Webhook SmartApps are a bit of a middle ground. Those are largely used for automations and sometimes for implementing cloud based devices. SmartThings take care of most of the OAuth stuff for you but if you want to use an access token outside the five minute window after receiving an event from SmartThings you have to engage a little bit more to make sure you’re using the right one and you have to keep it refreshed. You could still be largely unaware you are working with OAuth, but you are more aware that something is going on.