Each user has their own instance of Home Assistant which gives each user control over their own data. However, we also wanted to make it easy for third party developers to create applications that allow users to integrate with Home Assistant. To achieve this, we have adopted the OAuth 2 specification combined with the OAuth 2 IndieAuth extension for generating clients.
Before you can ask the user to authorize their instance with your application, you will need a client. In traditional OAuth2, the server needs to generate a client before a user can authorize. However, as each server belongs to a user, we've adopted a slightly different approach from IndieAuth.
The client ID you need to use is the website of your application. The redirect url has to be of the same host and port as the client ID. For example:
- client id:
- redirect uri:
If you require a different redirect url (ie, if building a native app), you can add an HTML tag to the content of the website of your application (the client ID) with an approved redirect url. For example, add this to your site to whitelist redirect uri
Home Assistant will scan the first 10kB of a website for link tags.
All example URLs here are shown with extra spaces and new lines for display purposes only.
The authorize url should contain
redirect_uri as query parameters.
Optionally you can also include a
state parameter, this will be added to the redirect uri. The state is perfect to store the instance url that you are authenticating with. Example:
The user will navigate to this link and be presented with instructions to log in and authorize your application. Once authorized, the user will be redirected back to the passed in redirect uri with the authorization code and state as part of the query parameters. Example:
This authorization code can be exchanged for tokens by sending it to the token endpoint (see next section).
The token endpoint returns tokens given valid grants. This grant is either an authorization code retrieved from the authorize endpoint or a refresh token. In the case of refresh token, the token endpoint is also capable of revoking a token.
All interactions with this endpoint need to be HTTP POST requests to
http://your-instance.com/auth/token with the request body encoded in
All requests to the token endpoint need to contain the exact same client ID as was used to redirect the user to the authorize endpoint.
Use the grant type
authorization_code to retrieve the tokens after a user has successfully finished the authorize step. The request body is:
The return response will be an access and refresh token:
The access token is a short lived token that can be used to access the API. The refresh token can be used to fetch new access tokens. The
expires_in value is seconds that the access token is valid.
An HTTP status code of 400 will be returned if an invalid request has been issued. The HTTP status code will be 403 if a token is requested for an inactive user.
Once you have retrieved a refresh token via the grant type
authorization_code, you can use it to fetch new access tokens. The request body is:
The return response will be an access token:
An HTTP status code of 400 will be returned if an invalid request has been issued.
client_id is not need for revoke refresh token
The token endpoint is also capable of revoking a refresh token. Revoking a refresh token will immediately revoke the refresh token and all access tokens that it has ever granted. To revoke a refresh token, make the following request:
The request will always respond with an empty body and HTTP status 200, regardless if the request was successful.
Long-lived access tokens are valid for 10 years. These are useful for integrating with third-party APIs and webhook-style integrations. Long-lived access tokens can be created using the "Long-Lived Access Tokens" section at the bottom of a user's Home Assistant profile page.
You can also generate a long-lived access token using the websocket command
auth/long_lived_access_token, which will create a long-lived access token for current user. The access token string is not saved in Home Assistant; you must record it in a secure place.
The response includes a long-lived access token:
Once you have an access token, you can make authenticated requests to the Home Assistant APIs.
For the websocket connection, pass the access token in the authentication message.
For HTTP requests, pass the token type and access token as the authorization header:
If the access token is no longer valid, you will get a response with HTTP status code 401 unauthorized. This means that you will need to refresh the token. If the refresh token doesn't work, the tokens are no longer valid and so the user is no longer logged in. You should clear the user's data and ask the user to authorize again.
Sometimes you want a user to make a GET request to Home Assistant to download data. In this case the normal auth system won't do, as we can't link the user to an API with the auth header attached to it. In that case, a signed path can help.
A signed path is a normal path on our server, like
/api/states, but with an attached secure authentication signature. The user is able to navigate to this path and will be authorized as the access token that created the signed path. Signed paths can be created via the websocket connection and are meant to be shortlived. The default expiration is 30 seconds.
To get a signed path, send the following command:
The response will contain the signed path:
Some things to note about a signed path:
- If the refresh token is deleted, the signed url is no longer valid.
- If the user is deleted, the signed url is no longer valid (because the refresh token will be deleted).
- If Home Assistant is restarted, the signed url is no longer valid.
- Access is only validated when the request is received. If a response takes longer than the expiration time (ie, downloading a large file), the download will continue after the expiration date has passed.