Oauth2 Access Token

I guess that bears the question…

Is it possible… or will it be possible… for a user to get an API key via code? Is there an endpoint for retrieving the user’s API key?

Instead of an OAuth authorization, can an API key be used instead? Would that work the same?

tbh I don’t know! I’m certainly not aware of an endpoint that will give you the API key, and my feeling is that the industry standard Oauth flow is the expected route to achieve authorization without the user copying/pasting.

Not sure if you saw this, but it might be useful: Websocket rate limit exceeded

Yep, saw that…
I’m look at @dsj’s post above (#6)…

Just sign in at tempestwx.com then go to Settings → Data Authorizations (or directly: https://tempestwx.com/settings/tokens ) and create an access token. Once you have a token, you can use it with REST requests and WS connections

With that in place, we (developers) should be able to allow a user to login and get/create the access token via code…

1 Like

Hi folks. First off, apologies for not having this authentication business all written up nicely in our API documentation, yet. We are still working on that (in between everything else). The good news is that we do have a system that’s working well in production. In a nutshell, here are the two options for user authentication in a third-party application:

  1. Personal Access Token . If you have a very simple app (like a python script or something your users download and run on their own) you will want to go the “personal access token” route. It’s a little clunky for the user because it requires him or her to sign in to our website, create a token, then copy & paste that token into your app. This method is currently only documented here on the forum (in this very thread), but it works great.

  2. Oauth2. If you have a more sophisticated app or just want to provide your users a slicker, more seamless integration, allowing them to stay in your app when they authenticate against their Tempest account, you will want to use Oauth2. This is the way our own integrations work (Amazon Echo, Google Home, IFTTT, etc.). Oauth2 can be complicated, but the primary requirement is for you to run a server process that can respond to a post from the Tempest system, or an app with a custom URL handler. This method is not publicly documented yet, but we are beta testing it (and it’s what CARROT Weather uses). If you want to be an Oauth2 beta tester, shoot me a PM!

4 Likes

You could always have it redirect to a url on your website then have it redirect to a url that will open up your app with a token. This method would be listed in the iOS and Apk docs.

I’m starting down the road of migrating my WallGauge from using the Personal Use Token (found under Data Authorizations on the settings tab at tempests.com) to the new OAuth2 process as documented here. First off I want to make sure this is the right thread to ask questions on the OAuth2 process. If not please shoot me a link and I will post my questions there.

One of the first steps in the documentation says to register your application with WeatherFlow by going to https://tempestwx.com/, settings tab and then to Developers. I don’t have a developers option. Is that something that needs to be turned on for my account? I’m using safari on my Mac hope its not a browser thing.

This is the link here: https://tempestwx.com/developers/applications.

What language are you using to write the wall gauge software?

1 Like

Thank you for this. I was about to ask the exact same question.
I will start migration my Integration for Home Assistant and I will be using Python as development language. Will post here once I have something that works.

I moved your post to this slightly more appropriate topic.

This is a case of the documentation getting ahead of the implementation (it’s usually the other way around!). We haven’t added that to the web app quite yet, but we’re getting close.

Thanks, Peter - you answered before I could!

2 Likes

That link works, thanks.

Short answer:

Node.js

2 Likes

Does anyone know how to send data to Sign In so a user can authorise your app?

Or do you need to be a beta tester to access this?

I’m in the process of creating a Wordpress plugin that will allow you to show data from you PWS anywhere on your website via a shortcode or widget and feel it would be easier for the user using Oauth2 than creating their own access token. This would be done by running via a script on my website and then sending the access token generated back to their wordpress site.

Oh I figured out, the query string parameters have to be in lowercase.

1 Like

@dsj I noticed that on https://tempestwx.com/developers/tokens you can’t delete a token. It does nothing when you click the delete button on the popup. The access tokens on this page show up as “undefined”.

Ah, good catch. That page is obsolete now, replaced with Tempest Settings

Thanks for pointing it out - we’ll clean that up.

1 Like

I see. Any chance you will include the access tokens created by the applications on the https://tempestwx.com/settings/tokens/ page too? So they can easily be removed like personal tokens.

Yes, there will be a separate section listing third-party application tokens on that page, along with a way to remove/revoke them.

1 Like

He @bjarne, I am working on a PR on the underlying pysmartweatherio to support oAuth2 soon. Already working on supporting dotenv files (‘.env’) for easy storage of secrets for projects based on pysmartweatherio. my fork: GitHub - jberends/pysmartweatherio: Wrapper for the WeatherFlow Smart Weather REST API. Designed to work with Home Assistant

Fantastic. Let me know when you have something you like tested. I have a few other projects right now, so I did not really get started. Looking forward to what you come up with.

Hi everyone,

I am trying to integrate Tempest using oauth2 authentication with code. I have been using this mechanism with other weather station providers and it works well and is easier for the user (no need to generate a token).

For some unknown reason, it fails most of the time.

From my mobile app, I successfully retrieve the code (works all the time). The code is sent to my server and I send a POST message to https://swd.weatherflow.com/id/oauth2/token with the following header: Content-Type: application/x-www-form-urlencoded with grant_type, code, client_id and client_secret.

it worked once or twice, but I usually get the following error (status code 401):
{"client_id":"MY_CLIENT_ID","error":"invalid_grant","error_description":"Invalid client_secret, client_id or authorization token","status":{"status_code":2,"status_message":"Invalid client_secret, client_id or authorization token"},"errors":[{"message":"Invalid client_secret, client_id or authorization token"}]}

Did anyone manage to make it work reliably?

Thanks,
Vincent

1 Like

have you created your dev account as described in this page ??