Authentication for Alexa


How are people authenticating Alex skills? I added the legacy api password but I don’t like it as if it was hacked it gives full access to my HA platform rather than just to the intent.

Can we create an intent password/code?

1 Like

i’m just using the emulated_hue component to control Alexa, no auth needed!

The question here is for Alexa Custom Skills. Emulated Hue is only for basic integration.

I have the same issue / concern and haven’t found a solution yet. I use haaska for basic home assistant integration and for Alexa custom skills, I still issue a long-lived access token and enable legacy auth provider.

I’m not seeing how to get around the URL request in the Lambda Endpoint setting:


In all my testing I have to use legacy auth provider for this or it does not work. Hopefully there is another way to craft the URL/request and I just haven’t found it yet.


Any development on integrating Alexa with Home Assistant not using an API Password?

I’m curious about this as well. I recently realized my skill isn’t working because I disabled the legacy API password as recommended.

As a brand new HA user, I struggled with this for a bit. As far as I can tell, there is no way to specify the bearer token needed for the LLAT in Amazon’s API.

Eventually I had to cry uncle and setup a Lambda function to add the token and forward the requests to my https endpoint: (based on the forwarding function found here)

Configure it as a nodejs 10.x script with 3 environment variables:

HA_ENDPOINT: full url of your endpoint (e.g, ‘https:///api/alexa’)
TOKEN: your long-lived access token
DEBUG: optional value for controlling logged output. 0-5, default 0

var http = require('http');
var https = require('https');
var URLParser = require('url');
exports.handler = function (json, context) {
    try {
        const debugLevel = process.env.DEBUG || 0;

        if (debugLevel > 0 && debugLevel < 3) console.debug('intent:', json.intent); 
        if (debugLevel > 0 && debugLevel > 2) console.debug('json request:', JSON.stringify(json) );

        const endpoint = process.env.HA_ENDPOINT;
        if (!endpoint) {'HA_ENDPOINT environment variable not configured.'); }
        const token = process.env.TOKEN;
        if (!token) {'TOKEN environment variable not configured.'); }

        const url = new URLParser.parse(endpoint);
        const post_data = JSON.stringify(json);
        // An object of options to indicate where to post to
        const post_options = {
            protocol: url.protocol,
            host: url.hostname,
            port: url.port,
            path: url.pathname,
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
                'Content-Length': post_data.length,
                'Authorization': `Bearer ${token}`

        if (debugLevel > 0 && debugLevel > 2) console.debug('post options:', post_options);

        const scheme = (url.protocol === 'https:') ? https : http;
        // Initiate the request to the HTTP/HTTPS endpoint
        var req = scheme.request(post_options,function(res) {
            var body = "";
            // Data may be chunked
            res.on('data', function(chunk) {
                body += chunk;

            debugLevel < 5 || console.debug(res);

            res.on('end', function() {
                debugLevel < 1 || console.debug('Response body:');
                debugLevel < 1 || console.debug(body);
                // When data is done, finish the request
        req.on('error', function(e) {
  'problem with request: ' + e.message);
        // Send the JSON data
    } catch (e) {"Exception: " + e);

This is cool, Brian - thanks!
I’ve not yet tried this method out of fear of breaking my setup lol.

Has anyone else tried this? @bschantz, now that you’ve had it running for a while, any issues?