Homey Community Forum

Bearer token expires in 24h - Solution?

#1

Hi,

Since a couple of weeks the Bearer token is expiring once a day. Pretty annoying if you have stuff depending on remote access. Webhooks has been an alternative, but a less secure one, maybe not good enough for all applications.

I’m no developer and is just trying to solve this issue somehow. I’m having a har time reading the API documentation. No examples is basically my issue, so I can’t really figure out how to test this. But can this be a solution to turn off auto expiring tokens?

https://developer.athom.com/docs/api/AthomCloudAPI.html#disableAutoRefreshTokens

What is the proper command to type in Playground to actually test this?

Is there any documentation describing the syntax for the API? This is probably a no brainer for any developer, but I’m not there :slight_smile:

#2

Just for you information, webhooks (which works on https) is way more secure then using the bearer token, which is like the putting your house key on the front porch with just a low wooden gate in front, and also the reason why it changes now every 24h. (you, and others, can literally do everything on your homey with the bearer token)

#3

Very good point, @Caseda! With the Bearer token the whole API is exposed and that can be way less secure in one way. However, with https, headers are encrypted and protected inside the tunnel. And you need to crack the encryption or own the endpoints to get hold of the Bearer token.

Webhooks on the other hand is the URL only and that is exposed to any point between the source and destination regardless of http or https.

So let’s say I have my house behave in different ways depending on my presence. I will actually be more exposed with clear text webhooks than with an encrypted header.

Do you know if disableAutoRefreshTokens are related to the Bearer token 24h expiration?

#4

It most likely is based for the normal api keys which aren’t given out yet publicly (homey.ink as example doesn’t refresh the token)