Authentication
This section will detail how to authenticate to the Myfox API in order to get an access token that will allow you to perform actions through the
Myfox API.
First step is to create your own personnal Myfox application or
request a commercial application. Then, you can use the section at the bottom of this page to generate a valid access token.
Authorization is performed by OAuth2, both the « Authorization Code Grant » and « Resource Owner Password Credentials Grant » methods are implemented.
For developers using the second option, we will request them to only use their application with their own Myfox user account.
If we detect abuse on your key, we will need to expire the key, or turn it off, in order to preserve the API functionality for others.
- Resource Owner Password Credentials Grant (personal application)
- Authorization Code (commercial application)
Resource Owner Password Credentials (personal application)
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable. This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. Detailed specification here.
This authentication is required by your personal application to interact with your own HomeControl system.
Request access token
A valid token must be requested to be able to perform API calls.
The token can be requested by calling, through the POST method, the URL https://api.myfox.me/oauth2/token and providing the parameters below.
- client_id
- client_secret
- username
- password
- grant_type set to
password
curl -u
CLIENT_ID:CLIENT_SECRET https://api.myfox.me/oauth2/token -d 'grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD'or
curl https://api.myfox.me/oauth2/token -d 'grant_type=password&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&username=YOUR_USERNAME&password=YOUR_PASSWORD'
If all went well, you will get a response like this :
{"access_token":"********************************","expires_in":3600,"token_type":"Bearer","scope":null,"refresh_token":"********************************"}A token lasts 3600 seconds (1 hour) and you must use it until it expires.
Since September 2019, personal applications requesting too many tokens are deactivated automatically.
Two ways to use a token until its expiration (to avoid your personal application deactivation) :
- Calculate the expiration date (with the
expires_inproperty) when requesting the token. Get a new token when the old token expired. - Handle
HTTP 401responses, if theerrorproperty equalsinvalid_token, get a new token and retry your initial request.{"status":"KO","timestamp":1569310000,"error":"invalid_token","error_description":"The access token provided is invalid"}
Those both ways require you to store the token data between two requests.
Refreshing an expired access_token
To get a new access token, the refresh token is needed.
curl -u
CLIENT_ID:CLIENT_SECRET https://api.myfox.me/oauth2/token -d 'grant_type=refresh_token&refresh_token=REFRESH_TOKEN'
After a token has been granted to your application, you can call the API endpoints listed on the documentation page.
Get a token
Use this form to obtain a fresh token that will allow you to perform API method calls.
Authorization Code (commercial application)
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server. Detailed specification here.
This authentication is used for commercial applications.
If you wan to interact with your own system, you must use your personal application and theResource Owner Password Credentialsauthentication.
Request authorization
A fresh token must be generated to be able to perform API calls.
The token can be requested by redirecting the ressource owner user agent to the following authentication server endpoint:
https://api.myfox.me/oauth2/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=https%3A%2F%2Fyour-domain.com%2Fsomewhere&state=YOUR_UNIQUE_VALUE
A successful authorization will pass the client the authorization code in the URL via the supplied redirect_uri:
https://your-domain.com/somewhere?code=CODE_GENERATED_BY_MYFOX&state=YOUR_UNIQUE_VALUE
Once this is done, a token can be requested using the authorization code:
curl -u
CLIENT_ID:CLIENT_SECRET https://api.myfox.me/oauth2/token -d 'grant_type=authorization_code&code=CODE_GENERATED_BY_MYFOX&redirect_uri=https%3A%2F%2Fyour-domain.com%2Fsomewhere'
If all went well, you will get a response like this :
{"access_token":"********************************","expires_in":3600,"token_type":"Bearer","scope":null,"refresh_token":"********************************"}Refreshing an expired access_token
To get a new access token, the refresh token is needed.
curl -u
CLIENT_ID:CLIENT_SECRET https://api.myfox.me/oauth2/token -d 'grant_type=refresh_token&refresh_token=REFRESH_TOKEN'
After a token has been granted to your application, you can call the API endpoints listed on the documentation page.
Example
Clicking the Authorize button will send you to the Myfox OAuth2.0 Server to authorize and grant an access token to our demo application.