Root endpoint access change 6/02/2016

I’m not really sure what this means, but it looks important. So for those who haven’t seen the platform release notes for today:

Root endpoint of SmartApps is no longer accessible through a web browser


If I understand correctly, this only affects the “generic” root endpoint which was technically a security scope leak (along the lines of stuff researchers raised concern about in the U of Michigan study).

OAuth’d Web Services SmartApps should only be accessed by their explicit “mappings:” list, and only accept Commands and State requests for devices Authorized at the time of installation or user updating preferences.

i.e., This won’t give any result and should give an authorization error. This is calling the “root” of a SmartApp’s endpoints…<blank>


error: "access_denied",
error_description: "Access is denied"

But this, or many similar explicit endpoints as defined in SmartApp mappings: is still fine:<switchID>

For example, SmartTiles has endpoints:

  • /css
  • /tools
  • /history
  • /order

(and many more), such as:


Correct @tgauchat. The root endpoint should not be exposed. All pre defined “custom” endpoints will work as expected.