Postman and OAuth2 Token for API


(Jack) #1

Hi,
I am trying to test out the new Smartthings API, and I see that I need an OAuth token in order to do anything. I’ve got that, but I don’t know how to correctly add it in Postman in order to make GET requests. I would really appreciate any help as to how I can add my token into Postman so that I can start doing stuff with the API.

https://smartthings.developer.samsung.com/develop/api-ref/st-api.html#section/Authentication


(Jim Anderson) #2

You just need to add a header to the request with key Authorization and value Bearer: YOUR-TOKEN-HERE.

All SmartThings resources are protected with OAuth 2.0 Bearer Tokens sent on the request as an Authorization: Bearer <TOKEN> header, and operations require specific OAuth scopes that specify the exact permissions authorized by the user.


In postman, it will look like this:

image


( I hate Mondays) #3

Jim I believe there is no : between the word Bearer and the token.


(Jack) #4

Hi,
I was wondering if there was a way to write the whole GET link, https://api.smartthings.com/v1/devices with the token, instead of having to add this in the header. So the token would be within the URL link. Is there a way to do this?


#5

Passing the token in the URL is technically possible according to the OAuth standard using /whatever?access_token=<your-token>, but very strongly discouraged due to the fact that it will then end up in browser history, server logs and all sorts of other insecure places. Nothing in the ST docs about this being possible afaict, so they’ve probably not added support for it (optional in the standard). However, headers are fairly easy to add to a http request in most web libraries and CLI clients so shouldn’t be too much of an issue?

OK


(Jody) #6

Can you outline a scenario where putting it in the header is unreasonable or impossible? We really stress not to put the token in the URL for security reasons.


(Jack) #7

I am trying to use an IDE that only allows me to use a single URL. I cannot write out a whole method. I am not concerned with security for what I am doing anyways. So this is why I want to do this. How can I put the token in the URL?