Use httpPostJson with authentication, headers, and data


I want to make button presses start/stop Toggl timers (time-tracking).

Bash equivalent

This is the curl I want to use in groovy:

curl -v -u <toggl api token>:api_token \
	-H "Content-Type: application/json" \
	-d '{"time_entry":{"description":"This is a test time entry","created_with":"curl"}}' \


Using httpPostJson() documentation, I’ve implemented it like so inside an event handler that reliably gets called:

def params = [
    "uri": "",
    "body": [
        "data": [
            "{\"time_entry\":{\"description\":\"Test timer event\",\"created_with\":\"curl\"}}": ""
        "auth": [
            "user": "<toggl API token>",
            "password": "api_token"
  def content = ""
  try {
    httpPostJson(params) { resp ->
      resp.headers.each {
        log.debug "${} : ${it.value}"
      log.debug "response contentType: ${resp.contentType}"
      log.debug "response data: ${}"
      content = "${}"
  } catch (e) {
    content = "something went wrong: $e"


The error I get is Received fatal alert: handshake_failure.


Is this a problem with the code I have? Is it possible to POST with API token authentication from the groovy IDE or should I use the Java/Javascript SDK instead?

Yes it’s possible but this looks like it’s having an issue with the handshake. Check the security protocol, it should be using TLS 1.2

That’s a good idea, but it’s not a problem with TLS1.2. I added the --tlsv1.2 flag to curl, and the curl continues to work.

If I add the flag --tlsv1.1 to this command instead, I get an SSL error curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version


  • What version of TLS does SmartThings send HTTP requests with?
  • What cipher suite does SmartThings send HTTP requests with?

There was an issue with this last year where the platform was upgraded to use TLS 1.2 (you can also specify that explicitly but it’s not required). The syntax you’re using is working fine for me.

I think your error may be related to either the security certificate used on the other end (check it’s chain and see if it’s using a custom root trust certificate or a standard one) or possibly the encryption bits.

You may want to try to use something list Postman to debug this further.

I think I’ll just try the javascript SDK as it’s easier to debug. I appreciate your help here - thank you.