Permissions in Smart App

Hi all,
Having some trouble with permissions on my Lambda smart app. I have given the app r:locations:* permissions, however anytime I make an API call to get either locations or rooms I am returned a 403 forbidden error. I’m making these calls using the core SDK. Has anyone else encountered this permissions issue? Is it something else causing the 403 error I’m unaware of?

EDIT: Forgot to add, I am able to make the call to get the list of devices without a problem. It is only the rooms and locations that error out.

Tagging @nayelyz @erickv

Hello @tomtesting,

Using the scope r:locations:* is correct. Below you can find a sample using the SmartApp NodeJS SDK where the subscriptions to the switch capability are used to trigger the requests for the rooms and locations. The difference is that the same scopes selected in the workspace are also specified in the SmartApp definition.

const app = new SmartApp();
.page('mainPage', (context, page, configData) => {
    page.section('switchDev', section => {
.updated(async (context, updateData) => {
    await context.api.subscriptions.unsubscribeAll();
    return Promise.all([
        context.api.subscriptions.subscribeToDevices(context.config.switchD, 'switch', 'switch.on', 'switchOnEventHandler'),
        context.api.subscriptions.subscribeToDevices(context.config.switchD, 'switch', '', 'switchOffEventHandler')
.subscribedEventHandler('switchOnEventHandler', (context, deviceEvent) => {
    return context.api.locations.list().then(res => {
.subscribedEventHandler('switchOffEventHandler', (context, deviceEvent) => {
    return context.api.rooms.list(context.locationId).then(res => {

Take into consideration that the SmartApp token can retrieve information only from the location where it’s installed.

Hi @nayelyz, thanks for the response. Is it required that all of the permission scopes I defined in the developer workspace also be included in the code of the Smart App? I was under the impression that one or the other would be sufficient, as I do not have the r:devices:* in my app code, but I am still able to access the devices list from the app.

One other point to mention is that I am making the API call for rooms and locations in the .updated() method. Could this be causing some sort of race condition because the app might not be fully “installed” by the time they are called? Again, that would be strange because the devices API call works in that .updated() method. I’ll test out a few different scenarios with the feedback you provided and see if anything new crops up.
Thank you again!

Hello @tomtesting,

It’s better if both have the same values, you can see in the permissions page (when you are installing the app) if all the permissions you need are included. About the requests in the updated() method, they should be successful because they use the parameter “context” which has all the information needed.

Note: The Developer Workspace allowlists scopes but doesn’t use them, and the SmartApp can access/use those allowlisted scopes. For more information, you can see the authorization document

If the previous post answers your question, can you mark it as Solved, please? If not, let me know what’s going on and we can dig in further.

Ok, that makes sense. However, when I include the permissions in the smart app code, the app fails to enter the configuration page when I click on it, and I just get the vague “network error” alert which I have come to realize could mean any number of errors totally unrelated to network errors. In the logs of my AWS Lambda, I don’t get any errors or warnings, the execution just gets killed after receiving this response:


When I don’t include the permissions line, but try to make the locations or rooms API call, I get the 403 error.

When I don’t request either, and don’t include the permissions, the app works perfectly (subscriptions are made, etc.)

I’m a bit confused due to the lack of clarity on error messages in this case… as I mentioned above, I don’t see any meaningful error messages in Smart Things or AWS, and yet the app won’t function when I add that permissions line. More descriptive error messages within the Smart Things app is definitely something I would like to see, but I digress. Any thoughts are greatly appreciated!

Hello @tomtesting,

Would you share the configuration that you use for the SmartApp definition? In case you are using the Simple SmartApp sample, the sample above has the following modifications:

  1. The configureI18n() is not included
  2. The appId() and permissions() where added

This could be the reason for the error. You can refer to the lifecycle documentation and see the data required in each lifecycle, CONFIGURATION cycle should be called during the SmartApp installation.

If you already have them covered but you’re still getting the error, I can check your SmartApp definition.

1 Like

@nayelyz Looks like the problem was not including the appID property.

This is somewhat confusing because I was able to subscribe to devices and handle events without including the combination of permissions and appID. Reading it now in the documentation on GitHub, it makes sense that appID is required, but the fact that the app worked at all without it is confusing. The examples on GitHub I followed when first learning how to use the SDK made no mention of the permissions line or the appID.

In any case, I appreciate the help!

1 Like