Ecobee API Changes Are Coming!

I just received the following email from Ecobee. Looks like the Ecobee integration may need some updates. Any idea who I should notify?

Thank you for being a valued ecobee partner.
We’re excited to announce that we are in the process of updating our authentication systems to better serve our customers and protect their privacy.

Please review this email closely as it outlines several changes that may affect how your systems are integrated with the ecobee API.

Upcoming API Changes Effective December 1, 2020
The following changes will go into effect on December 1, 2020. If you are unsure whether these changes will have an impact on your solution today, we encourage you to discuss it with your technology team, program manager, other stakeholders and ecobee partners.

Access/Refresh Token Format Changes
Starting from December 1, 2020, ecobee access tokens will no longer be returned as opaque 32-character strings. Access tokens will now be JWTs, which are considerably longer and uses a wider character set. Our JWTs follow the RFC7575 standard for JSON Web Signature tokens.

To ensure your application will continue to work, you will need to ensure that your application supports the following changes:

  • Access tokens will be up to 7KB in length, and includes upper/lower case alphanumeric characters, hyphens, underscores, and periods.
  • Refresh tokens can be of varying lengths and can contain non-alphanumeric characters.

Authorization Code Changes

  • The Redirect URI associated with your registered application should be a semi-colon separated list of absolute URLs that start with https://. We do not accept http:// protocol links.

PIN Authorization Changes

  • PINs will become 10 character alphanumeric strings.
  • This flow is only recommended in situations where a user is interacting with a device that cannot easily use a web-based login form; we recommend migrating to the Authorization Code strategy for a better user experience.

Click here for more ecobee developer documentation.

Early Access Program
For developers who would like to switch over to the new authorization flows before the December 1st deadline, there is an Early Access Program (EAP) available immediately. To gain access to this program, please submit a ticket on our Help Center and our Developer Relations team will reach out to you with next steps.

Next Steps
If you have any questions about these upcoming changes to the ecobee API, please submit a ticket on our Help Center and the Developer Relations team will get in touch with you.

It appears the creator of the integration was notified and didn’t see any issues…

1 Like

I’ll post here what I just posted on Reddit:

I’ve reviewed the changes as presented by ecobee and I don’t see that any of the changes will impact the integration. The main changes are that the format (length) of the PIN and keys will change, and the refresh token expires differently. But the integration is already equipped to handle these as is. I will continue to review to make sure the integration won’t be impacted.


Thank you @marthocoo!

So I did everything stated here… and it all worked and restored connectivity… however I’m seeing a strange behavior…
the Ecobee controls are all working however the temp sensors will only get updates for an hour and then freeze… but all the controls still work. any ideas? I’ve blown away the DB but there’s no new data… a reboot doesn’t restore the incoming temp data. I’ll keep updating this if I figure it out myself.

-Thanks for all the work… !

So, if you previously integrated w a 4-character pin format, does the integration automatically grandfather you in? Evidently, mine did not. Of late, the thermostat and its accompanying automations are “not available.”

I also had to re-integrate the Ecobee integration with a fresh authorization PIN.

I’m getting the below issue when attempting to complete the Ecobee integration. Any ideas where I can get the 4 digit pin?