I’m working on a custom IoT device and I’d like it to use web-requests and the REST api to access data from my HA instance; however, I’m having an issue trying to understand how I’d be able to authenticate the device without having to pre-make an authentication token and hard-code it or somehow enter it manually.
I’d like to be able to the authentication dynamically, following the Authentication API document., but it presumes either a browser-based authentication or a native app. From looking around, there is such a thing as “device authorization grant” which would fit what I’m looking to do, but I’m unsure if it can be and how, if possible, would be implemented.
That page is all about allowing users authorizing a third party app or service to integrate with their Home Assistant instance, and does not apply to the use case of authorizing a device to directly integrate without a user in the loop.
Token-based authorizations are very common for device-to-device use cases and invoking third party APIs. Perhaps you could explain why this doesn’t work for you to help someone help you? Or possibly this is a case of an XY problem?
I’m still looking to use a token, but instead of having the user generate one manually, I’d like the user to be able to get a URL that they can go and authenticate with via their non-input constrained device (e.g. smartphone or laptop), but I’m not sure how that workflow would work since there isn’t an example provided by the page I’ve linked. It is possible that I’m making this more complicated than it should be (well, that’s part of the fun for me! )
The biggest disconnect for me is, sure, following the Authentication API document I can have the device display an authorization link that the user can then use to login into the HA instance and get the authorization code, but I don’t see a way to have it being passed back to the IoT device without making another custom app/plugin for the smartphone/browser.
I had assumed you were asking this question as the sole user of a custom device, but now I gather that you plan to release or sell this device as a developer and are trying to ensure it has a smooth authorization flow for your users.
)