Unable to Register API_ONLY App via CLI - 403 Forbidden Error

Developer Programs Support
1

I am trying to register a new OAuth client for a native mobile application integration using the SmartThings CLI. My goal is to create an API_ONLY app that uses a custom redirectUri for a mobile app authentication flow.

The Developer Workspace UI does not provide an option to set a Redirect URI for “Automation” projects, so I am using the CLI as per the documentation.

Problem: Every attempt to register the app via the CLI results in a 403 Forbidden error, even when using a Personal Access Token (PAT) that has every single available scope authorized.

Command Used:

Bash
cat payload.json | smartthings apps:register --token [MY_PERSONAL_ACCESS_TOKEN] -`

payload.json Content:
JSON{ "appName": "batteryalarmapp", "displayName": "Battery Alarm Integration", "description": "Connects Battery Alarm to SmartThings to trigger a virtual sensor.", "appType": "API_ONLY", "oauth": { "clientName": "Battery Alarm", "scope": [ "r:devices:*", "w:devices:*", "x:devices:*" ], "redirectUris": [ "battery-alarm-app://callback" ] } }

Error Received:

AxiosError: Request failed with status code 403: {"requestId":"...","error":{"code":"ForbiddenError","message":"Access forbidden to this app.","details":[]}}

It seems that PATs are no longer being granted the necessary permissions to register apps via the CLI, despite the UI allowing all scopes to be selected.

Could you please advise on the correct, current procedure for registering an API_ONLY app with a custom redirect URI for a native mobile application?

Thank you.

2

I am a bit confused with what you are doing there. Your JSON payload looks like that required to create an app, not register it. Registering the app via the CLI just needs the appId of the created app on the command line.

The registration process for an app sends a CONFIRMATION request (the same process as for a Webhook SmartApp) to the targetUrl of your app after you have created it. The targetUrl is the one used for messages originating from the SmartThings end.

3

Hi, @Cool_Coder

Indeed, the command you’re using is not used to create an API_ONLY app, here are the instructions to do so:

  1. The option to create OAuth integrations cannot be found in the Developer Workspace.
  2. You need to use the SmartThings CLI to create this type of app
  1. You can also use the JSON in this sample as the input for the command.
    GitHub - SmartThingsCommunity/api-app-subscription-example-js: Example API Access SmartApp that shows the state and allows control of devices
  2. Then, you need to start the OAuth 2.0 process which consists on:
  1. The Access Token you get expires in 24 hours.
  2. The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.

NOTE: Remember the OAuth integration has a limit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.

  1. To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:

curl -X POST “https://api.smartthings.com/oauth/token” -u “${clientId_from_app}”:“${clientSecret_from_app}” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=${clientId_from_app}&refresh_token=${latest_refresh_token}”

Please let us know if you have any questions.