Getting a bearer token

Getting an Athom Homey bearer token is not straight forward

The following guide, describes a setup that automatically fetches an updated bearer token for usage with your homey API. It consists of two main parts:

A homeyscript that returns an updated bearer token as a return tag value
An example flow that runs the homeyscript regularly and stores an updated bearer token in a logic variable

The homeyscript

First you need to update the configuration section to your homey.

The email and password is your Homey account.
A client_id and client_secret can be found at
The redirect_url can stay untouched
Your cloudid can be found here:

// -------- o - Configure these parameters -------- o -------- o 
let email = 'xxxxx@gmail.com'
let password = 'skdjhf987s8d76fsd'
let client_id = 's8d67chdg36d8d6f6d'
let client_secret = 'dsdfghjkdfjghkdfjhgkdfjhgkdfjhgkdfjhgkfd'
let redirect_url = 'http://localhost'
let cloudid = '8sd76f87sd6f876sd8f76sd'
// -------- o -------- o -------- o -------- o -------- o 

const between = function(str, strf, strt) {
    return str.split(strf).pop().split(strt)[0].trim();
}

const authurl = 'https://accounts.athom.com/login'
console.log("POST authentication " + authurl)
const response2 = await fetch(authurl, {
  "headers": {
    "accept": "application/json, text/javascript, */*; q=0.01",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": 'email=' +encodeURIComponent(email) + '&password=' + encodeURIComponent(password) + '&otptoken=',
  "method": "POST",
  "mode": "cors",
  "credentials": "omit"
})
const body2 = await response2.text()
const token = JSON.parse(body2)

const authorizeurl = 'https://accounts.athom.com/oauth2/authorise?client_id=' + client_id + 
    '&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token


console.log(" Response from accounts.athom.com/login ", body2)
console.log("GET Authorization " + authorizeurl)

const response3 = await fetch(authorizeurl, {
  "headers": {
  },
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
})
const body3 = await response3.text()
let csrf = between(body3, 'name="_csrf" value="', '">')



let raw = response3.headers.raw()['set-cookie']
//let rawd = raw[0].split(';')
let cookiecsrf = null
raw.forEach(el => {
    let dc = el.split('=')
    if (dc[0] === '_csrf') {
        cookiecsrf = dc[1]
    }
})

let cookie4 = '_csrf=' + cookiecsrf
// console.log("Cookie4", cookie4)
console.log(" CSRF input parameter", csrf)
console.log(" CSRF cookie", cookiecsrf)

let authorizeurl2 = 'https://accounts.athom.com/authorise?client_id=' + client_id +   '&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token
console.log("GET Authorization", authorizeurl2)
const response4 = await fetch(authorizeurl2, {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "cookie": cookie4
  },
  "redirect": "manual",
  "body": "resource=resource.homey." + cloudid + "&_csrf=" + csrf + "&allow=Allow",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

const body4 = await response4.text()
let code = response4.headers['_headers'].location[0].split('=')[1]

console.log(" Response from authorization. Redirect to ", response4.headers['_headers'].location[0])
console.log(" Response content ", body4)
console.log(" Parsed the following code ", code)



let tokenendpoint = 'https://api.athom.com/oauth2/token'
console.log("POST token (resolve code to token) " + tokenendpoint)
const response5 = await fetch(tokenendpoint, {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": 'client_id=' + encodeURIComponent(client_id) +  '&client_secret=' + encodeURIComponent(client_secret) + 
    '&grant_type=authorization_code&code=' + encodeURIComponent(code),
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});


//console.log("Response5", response5)
const body5 = await response5.text()
let accesstoken = JSON.parse(body5)





let delegationEndpoint = 'https://api.athom.com/delegation/token?audience=homey'
const response6 = await fetch(delegationEndpoint, {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "authorization": "Bearer " + accesstoken.access_token
  },
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": "client_id=" + client_id + " &client_secret=" + client_secret + "&grant_type=refresh_token&refresh_token=" + accesstoken.refresh_token,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});



const body6 = await response6.json()
console.log(" JWT token is " + body6)

let endpoint7 = 'https://' + cloudid + '.connect.athom.com/api/manager/users/login'
console.log("POST login endpoint " + endpoint7)
const response7 = await fetch(endpoint7, {
  "headers": {
    "content-type": "application/json",
    //"authorization": "Bearer " + accesstoken.access_token
  },
  "body": JSON.stringify({"token": body6}),
  "method": "POST"
});

const body7 = await response7.json()
console.log(" Response status " + response7.status)
console.log(" Response: " + body7)

await setTagValue("accesstoken", {type: 'string', title:'Access token'}, body7)
return true

Updating a logic variable

Run the homeyscript above regularly to update an logic variable using the flow below.

Using the bearer token with the API

Here is an example using the Homey API with the bearer token:

// -------- o - Configure these parameters -------- o -------- o 
let cloudid = 'sd87f68ds76f87sd6f8sd76f'
// -------- o -------- o -------- o -------- o -------- o 

let variables = await Homey.logic.getVariables()
let getVar = (name) => {
    let x = _.find(variables, (val, key) => {return (val.name === name) })
    if (typeof x === 'undefined') throw new Error("Could not find variable [" + name + "]")
    return x
}
let accesstoken = getVar('accesstoken').value
console.log("Access token is " + accesstoken)
let baseapi = 'https://' + cloudid + '.connect.athom.com/api/'
let apiendpoint = baseapi + 'manager/devices/device/'
console.log("GET " + apiendpoint)
const response = await fetch(apiendpoint, {
  "headers": {
    "accept": "application/json",
    "Authorization": "Bearer " + accesstoken
  },
  "method": "GET"
});
console.log(" Response status " + response.status + " " + response.statusText)
const responseBody = await response.text()
const data = JSON.parse(responseBody)
console.log(" Result ", data)

Homey API reference

The base URL is:

https://<cloudid>.connect.athom.com/api/

Use the bearer token to make an authorized call:

GET /api/manager/sessions/session/ HTTP/1.1
Host: <cloudid>.connect.athom.com
Authorization: Bearer <ACCESS TOKEN>

# Alarms
GET /api/manager/alarms/alarm/

# Apps
GET /api/manager/apps/app/
GET /api/manager/apps/app/<APP_ID>/ (eg. com.fibaro)

# Cloud state
GET /api/manager/cloud/state/

# Devices
GET /api/manager/devices/device/
GET /api/manager/devices/device/<DEVICE_ID>/

# Drivers
GET /api/manager/devices/drivers/
GET /api/manager/drivers/pairsession/

# Experiments
GET /api/manager/experiments/experiment/

# Flow
GET /api/manager/flow/flow/
GET /api/manager/flow/flow/<FLOW_ID>/

# Flow folders
GET /api/manager/flow/flowfolder/

# Flow tokens
GET /api/manager/flowtoken/flowtoken/

# Images
GET /api/manager/images/image/

# Insights
GET /api/manager/insights/log/

# Language and unit settings
GET /api/manager/i18n/

# LED ring
GET /api/manager/ledring/screensaver/
GET /api/manager/ledring/state/

# Location
GET /api/manager/geolocation/

# Logic
GET /api/logic/variable/
GET /api/logic/variable/<VARIABLE_ID>/
PUT { "value": value } TO /api/manager/logic/variable/<VARIABLE_ID>/ 

# Mobile
GET /api/manager/mobile/

# Notifications
GET /api/manager/notifications/notification/
GET /api/manager/notifications/owner/

# Presence
GET /api/manager/presence/

# Reminders
GET /api/manager/reminder/reminder/

# Sessions
GET /api/manager/sessions/session/

# Switch on:
PUT { "value": true } TO /api/manager/devices/device/<DEVICE_ID>/capability/onoff/

# Switch off:
PUT { "value": false } TO /api/manager/devices/device/<DEVICE_ID>/capability/onoff/

# System
GET https://<HOMEY_IP>/api/manager/system/

# System Reboot // Use with caution!
POST https://<HOMEY_IP>/api/manager/system/reboot/

# Users
GET /api/manager/users/user/
GET /api/manager/users/user/<USER_ID>/
GET /api/manager/users/state/

# Weather
GET /api/manager/weather/weather/

# Zigbee
GET /api/manager/zigbee/state/

# Z-Wave
GET /api/manager/zwave/state/
GET /api/manager/zwave/log/
POST /api/manager/zwave/command/
- heal: payload {command: "heal", opts: {nodeId: <NODE_ID>}}
- test: payload {command: "sendData", opts: "<NODE_ID>,0x20,0x00"} 

# Zones
GET /api/manager/zones/
GET /api/manager/zones/<ZONE_ID>/

PreviousBathrooms NextBattery tracking

Last updated 3 years ago

Was this helpful?

// -------- o - Configure these parameters -------- o -------- o let email = 'xxxxx@gmail.com' let password = 'skdjhf987s8d76fsd' let client_id = 's8d67chdg36d8d6f6d' let client_secret = 'dsdfghjkdfjghkdfjhgkdfjhgkdfjhgkdfjhgkfd' let redirect_url = 'http://localhost' let cloudid = '8sd76f87sd6f876sd8f76sd' // -------- o -------- o -------- o -------- o -------- o const between = function(str, strf, strt) { return str.split(strf).pop().split(strt)[0].trim(); } const authurl = 'https://accounts.athom.com/login' console.log("POST authentication " + authurl) const response2 = await fetch(authurl, { "headers": { "accept": "application/json, text/javascript, */*; q=0.01", "content-type": "application/x-www-form-urlencoded; charset=UTF-8", }, "referrerPolicy": "no-referrer-when-downgrade", "body": 'email=' +encodeURIComponent(email) + '&password=' + encodeURIComponent(password) + '&otptoken=', "method": "POST", "mode": "cors", "credentials": "omit" }) const body2 = await response2.text() const token = JSON.parse(body2) const authorizeurl = 'https://accounts.athom.com/oauth2/authorise?client_id=' + client_id + '&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token console.log(" Response from accounts.athom.com/login ", body2) console.log("GET Authorization " + authorizeurl) const response3 = await fetch(authorizeurl, { "headers": { }, "method": "GET", "mode": "cors", "credentials": "include" }) const body3 = await response3.text() let csrf = between(body3, 'name="_csrf" value="', '">') let raw = response3.headers.raw()['set-cookie'] //let rawd = raw[0].split(';') let cookiecsrf = null raw.forEach(el => { let dc = el.split('=') if (dc[0] === '_csrf') { cookiecsrf = dc[1] } }) let cookie4 = '_csrf=' + cookiecsrf // console.log("Cookie4", cookie4) console.log(" CSRF input parameter", csrf) console.log(" CSRF cookie", cookiecsrf) let authorizeurl2 = 'https://accounts.athom.com/authorise?client_id=' + client_id + '&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token console.log("GET Authorization", authorizeurl2) const response4 = await fetch(authorizeurl2, { "headers": { "content-type": "application/x-www-form-urlencoded", "cookie": cookie4 }, "redirect": "manual", "body": "resource=resource.homey." + cloudid + "&_csrf=" + csrf + "&allow=Allow", "method": "POST", "mode": "cors", "credentials": "include" }); const body4 = await response4.text() let code = response4.headers['_headers'].location[0].split('=')[1] console.log(" Response from authorization. Redirect to ", response4.headers['_headers'].location[0]) console.log(" Response content ", body4) console.log(" Parsed the following code ", code) let tokenendpoint = 'https://api.athom.com/oauth2/token' console.log("POST token (resolve code to token) " + tokenendpoint) const response5 = await fetch(tokenendpoint, { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": 'client_id=' + encodeURIComponent(client_id) + '&client_secret=' + encodeURIComponent(client_secret) + '&grant_type=authorization_code&code=' + encodeURIComponent(code), "method": "POST", "mode": "cors", "credentials": "include" }); //console.log("Response5", response5) const body5 = await response5.text() let accesstoken = JSON.parse(body5) let delegationEndpoint = 'https://api.athom.com/delegation/token?audience=homey' const response6 = await fetch(delegationEndpoint, { "headers": { "content-type": "application/x-www-form-urlencoded", "authorization": "Bearer " + accesstoken.access_token }, "referrerPolicy": "no-referrer-when-downgrade", "body": "client_id=" + client_id + " &client_secret=" + client_secret + "&grant_type=refresh_token&refresh_token=" + accesstoken.refresh_token, "method": "POST", "mode": "cors", "credentials": "include" }); const body6 = await response6.json() console.log(" JWT token is " + body6) let endpoint7 = 'https://' + cloudid + '.connect.athom.com/api/manager/users/login' console.log("POST login endpoint " + endpoint7) const response7 = await fetch(endpoint7, { "headers": { "content-type": "application/json", //"authorization": "Bearer " + accesstoken.access_token }, "body": JSON.stringify({"token": body6}), "method": "POST" }); const body7 = await response7.json() console.log(" Response status " + response7.status) console.log(" Response: " + body7) await setTagValue("accesstoken", {type: 'string', title:'Access token'}, body7) return true

// -------- o - Configure these parameters -------- o -------- o let cloudid = 'sd87f68ds76f87sd6f8sd76f' // -------- o -------- o -------- o -------- o -------- o let variables = await Homey.logic.getVariables() let getVar = (name) => { let x = _.find(variables, (val, key) => {return (val.name === name) }) if (typeof x === 'undefined') throw new Error("Could not find variable [" + name + "]") return x } let accesstoken = getVar('accesstoken').value console.log("Access token is " + accesstoken) let baseapi = 'https://' + cloudid + '.connect.athom.com/api/' let apiendpoint = baseapi + 'manager/devices/device/' console.log("GET " + apiendpoint) const response = await fetch(apiendpoint, { "headers": { "accept": "application/json", "Authorization": "Bearer " + accesstoken }, "method": "GET" }); console.log(" Response status " + response.status + " " + response.statusText) const responseBody = await response.text() const data = JSON.parse(responseBody) console.log(" Result ", data)

# Alarms GET /api/manager/alarms/alarm/ # Apps GET /api/manager/apps/app/ GET /api/manager/apps/app/<APP_ID>/ (eg. com.fibaro) # Cloud state GET /api/manager/cloud/state/ # Devices GET /api/manager/devices/device/ GET /api/manager/devices/device/<DEVICE_ID>/ # Drivers GET /api/manager/devices/drivers/ GET /api/manager/drivers/pairsession/ # Experiments GET /api/manager/experiments/experiment/ # Flow GET /api/manager/flow/flow/ GET /api/manager/flow/flow/<FLOW_ID>/ # Flow folders GET /api/manager/flow/flowfolder/ # Flow tokens GET /api/manager/flowtoken/flowtoken/ # Images GET /api/manager/images/image/ # Insights GET /api/manager/insights/log/ # Language and unit settings GET /api/manager/i18n/ # LED ring GET /api/manager/ledring/screensaver/ GET /api/manager/ledring/state/ # Location GET /api/manager/geolocation/ # Logic GET /api/logic/variable/ GET /api/logic/variable/<VARIABLE_ID>/ PUT { "value": value } TO /api/manager/logic/variable/<VARIABLE_ID>/ # Mobile GET /api/manager/mobile/ # Notifications GET /api/manager/notifications/notification/ GET /api/manager/notifications/owner/ # Presence GET /api/manager/presence/ # Reminders GET /api/manager/reminder/reminder/ # Sessions GET /api/manager/sessions/session/ # Switch on: PUT { "value": true } TO /api/manager/devices/device/<DEVICE_ID>/capability/onoff/ # Switch off: PUT { "value": false } TO /api/manager/devices/device/<DEVICE_ID>/capability/onoff/ # System GET https://<HOMEY_IP>/api/manager/system/ # System Reboot // Use with caution! POST https://<HOMEY_IP>/api/manager/system/reboot/ # Users GET /api/manager/users/user/ GET /api/manager/users/user/<USER_ID>/ GET /api/manager/users/state/ # Weather GET /api/manager/weather/weather/ # Zigbee GET /api/manager/zigbee/state/ # Z-Wave GET /api/manager/zwave/state/ GET /api/manager/zwave/log/ POST /api/manager/zwave/command/ - heal: payload {command: "heal", opts: {nodeId: <NODE_ID>}} - test: payload {command: "sendData", opts: "<NODE_ID>,0x20,0x00"} # Zones GET /api/manager/zones/ GET /api/manager/zones/<ZONE_ID>/