API URL changes.

[oscarhenneke]

Since this morning i receive an error when calling the API URL. I Think Honeywell changed something...
Unknown error occurred: 302 at /etc/perl/Device/TotalConnectComfort.pm line 125.

Edit: seems to work now....

[oscarhenneke]

I just received an e-mail from honeywell about some API changes.

The base URL of the API used to be:

https://rs.alarmnet.com/TotalConnectComfort/WebAPI/

and is changing now to:

https://tccna.honeywell.com/WebApi/

[willdollman]

Thanks for the info. I've taken a look at the new version of the app and unfortunately the changes they've made are rather more substantial than just updating the API endpoint. The authentication system has changed, as have a few other things.

I've pushed a branch new-api that partially works with their new authentication system. I don't think fixing the rest of the code to work with the new system will be too big a task, but I'm not able to spend any more time on it for a couple of weeks. In the meantime, the old API still seems to work, and I'm happy to merge any pull requests.

[ewildgoose]

I'm currently getting error 501 in the same line of code as originally reported, for both new and old api...

I presume there is another change in API endpoint? Any more information available to fix this up?

I did find this URL though:
https://tccna.honeywell.com/WebApi/Help/LogIn
Not sure if I can login though...

[ewildgoose]

Scrub that... Turns out my problem was not having SSL support in LWP. Great error messages from perl...

I have fairly completely updated all the API, added new functions for the new get urls and also added functions (untested) for setting schedules, heat set points and system status (economy/away, etc). Pull request sent. Grateful if you would pull and push to master?

Thanks!

Note, definitely needs more API documentation. I have some network traces if anyone wanted to work on that... I haven't tested the set_xx functions, setting schedules is odd because the get uses different definitions for dayofweek between getting and setting... (might turn out that the server supports both..?)

Personally I am logging this on influxdb + grafana. I will try and write this up, possibly simpler to setup than cacti?

[willdollman]

I've merged, and also added you as a collaborator if you want to push anything else.

If you write that up, definitely add a link to the readme page - I haven't come across influxdb/grafana.

[theGAXman]

It seems like the fork is updated for the new URL, but I get an error that the app id is incorrect. Does it only work if you've been granted access to the new API?

[willdollman]

It looks like Honeywell have changed the server response codes, so the error message "App id is incorrect" is now most likely wrong. If I run the test_api.pl script with an invalid username/password (or without a username/password) I get that error. If I run it with a valid username/password, it works fine.

I'd check that your credentials work in the iOS/Android app. I don't believe you have to be granted access to the new API - it just worked for me.

[theGAXman]

Hmm. I tried the correct login on a couple of accounts with various
combinations of quotes (text, 'text', "text"). It does give the same
message with an incorrect password, though.

On Sun, Oct 18, 2015 at 1:13 PM, willdollman [email protected]
wrote:

It looks like Honeywell have changed the server response codes, so the
error message "App id is incorrect" is now most likely wrong. If I run the
test_api.pl script with an invalid username/password (or without a
username/password) I get that error. If I run it with a valid
username/password, it works fine.

I'd check that your credentials work in the iOS/Android app. I don't
believe you have to be granted access to the new API - it just worked for
me.

—
Reply to this email directly or view it on GitHub
#2 (comment)
.

[nico81]

Me too error 501 at line 125, any tips?

[ewildgoose]

Hi, I'm the culprit for many of the "new api" updates, so blame me... Can I just check you are using the new_api branch, not master? (@willdollman should we make this branch master now?)

I think I need the full error please. I don't see this, but for sure we should try and improve the error message?

I can confirm that I am actively using this code. I take the output and log it to influxdb. Then I have a dashboard in Grafana which plots actual temp vs target temp. It's quite funky actually!

The main thing which might go wrong is whether this URL can be used for all account types? It might be only for users on the European servers? Can anyone definitely on the US server confirm it works for them?

Other than that I suspect username/password troubles?

[theGAXman]

Great info. I am on a US account on the new_api branch.
I get this error:
App id is incorrect (or similar error) at Device/TotalConnectComfort.pm line 158.
This happens with valid and invalid credentials alike.

If it was a difference of server location, how would we go about getting the correct URL/App ID/Token, etc.?

[ewildgoose]

Do you understand how to log traffic dumps of your phone app? Send me a private message if you need help (lists squiggle-thing wildgooses. com)

[willdollman]

I think the Europe/America difference could be it. The web login pages for the American and European versions are different, and my European credentials don't work on the American login page:
American login: https://www.mytotalconnectcomfort.com/portal
European login: https://europe.mytotalconnectcomfort.com/account/Login

The error @theGAXman gets when logging in is the same as if you have incorrect credentials, so it seems likely that the new authentication system that the new-api branch uses doesn't recognise American accounts.

[willdollman]

@ewildgoose I've merged the new-api branch to master. If anyone is unable to get it working, you can still use the old system by checking out the old-api tag using $ git checkout old-api (don't forget to pull first).

I've just updated the request handler to dump the server response if it returns an error code, so @theGAXman could you try logging in again and pasting the response body? If it's due to American accounts not being recognised by the European auth system, I'd expect the error to be {"error":"invalid_grant"}.
One thing you could try is registering at https://europe.mytotalconnectcomfort.com/account/Login though I have no idea if the US and EU systems link up behind the scenes. Does the old-api code work for you, or did you ever have it working?

[theGAXman]

Current master:

pi@i3-RPi ~/perl-total-connect-comfort-master $ perl test_api.pl '[email protected]' 'xxxxx'

Full error message:

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Date: Thu, 29 Oct 2015 20:37:38 GMT
Pragma: no-cache
Server: Microsoft-IIS/8.5
Server: Web1
Content-Length: 25
Content-Type: application/json;charset=UTF-8
Expires: -1
Client-Date: Thu, 29 Oct 2015 20:37:38 GMT
Client-Peer: 199.61.12.94:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Client-SSL-Cert-Subject: /C=US/ST=Arizona/L=Tempe/O=Honeywell International Inc./CN=TCCNA.honeywell.com
Client-SSL-Cipher: DES-CBC3-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
Set-Cookie: tccna=R3710656558; path=/; expires=Fri, 30-Oct-2015 20:46:54 GMT
X-Powered-By: ASP.NET

{"error":"invalid_grant"}

App id is incorrect (or similar error) at Device/TotalConnectComfort.pm line 158.


Old master from two weeks ago:

pi@i3-RPi ~/old-perl-total-connect-comfort-master $ perl test_api.pl '[email protected]' 'xxxxx' Invalid username/password, or session timed out at Device/TotalConnectComfort.pm line 123.

[oscarhenneke]

I get @random 503 errors when i pull data. Am i the only one?

[willdollman]

Guessing it's temporary server issues on their side - most people won't be checking the app every minute, so won't notice if they take the service down briefly for maintenance! If you catch it 503ing again, you could see whether the mobile app is down as well, as it uses the same web API as this script.

[ewildgoose]

Does it error on the login or retrieving some data? My production use stores the login token and re-uses it for as long as possible (it only revalidates it on error/expiry). I wonder if you get better success if you don't keep logging in? (Note I can't remember if these changes are on the git repo without checking, it might be only in my private version)

[dracoventions]

I'm getting the same {"error":"invalid_grant"} trying to log in with a user/password registered to the USA server (https://www.mytotalconnectcomfort.com/portal). Visiting the old API server at https://rs.alarmnet.com/TotalConnectComfort/WebAPI/ gets me error 404, file not found. I sent an email to [email protected] and got no response.

I also tried visiting http://api.honeywell.com but using various procedures to get API credentials all say the email/password I use at mytotalconnectcomfort.com is not valid. All their help files on the site refer to the leak detector and Lyric thermostats so I don't think the API is hooked in to TCC thermostats.

Does anyone have more info? Has anyone at Honeywell ever responded to why this is occurring? How can they leave Americans with no API access?

[dracoventions]

I finally got API access to a USA RedLINK thermostat!

From this Honeywell employee:

https://tccna.honeywell.com/WebAPI/api/ is used exclusively for our North American products now.

As the product base increased and considering the fact those products have different command needs we implemented a version of TCC just for UK/EMEA. Hence: https://tccna.honeywell.com/WebAPI/emea/api/v1/

Everything on https://developer.honeywell.com is for our Lyric family of products, so that's a bit different.

I figured the North America URL would work. The API is described here: https://tccna.honeywell.com/WebApi/Help/ApiIntroduction
When it asks you to log in, enter 91db1612-73fd-4500-91b2-e63b069b185c in the Application ID box, then click Log in.

I tried the API by typing this at the command prompt:
curl -X POST -H "Content-Type: application/json" -d '{"Username":"[email protected]","Password":"MyPassword","ApplicationId":"91db1612-73fd-4500-91b2-e63b069b185c"}' 'https://tccna.honeywell.com/WebAPI/api/Session'

and got this error:

[
  {
    "code": "EmailOrPasswordIncorrect",
    "message": "The email or password provided is incorrect."
  }
]

So I guess that API is used for North American thermostats, but not RedLINK? I kept searching and hit on yet another API URL, this one claiming to support RedLINK thermostats. The API is described here: https://tccna.honeywell.com/ws/MobileV2.asmx

Logging in can be accomplished with this command line:
curl -s -k -X 'POST' -H 'Content-Type: aplication/x-www-form-urlencoded' -H 'User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)' --data-binary $'ApplicationID=a0c7a795-ff44-4bcd-9a99-420fac57ff04&ApplicationVersion=2&[email protected]&UiLanguage=English&Password=MyPassword' 'https://tccna.honeywell.com/ws/MobileV2.asmx/AuthenticateUserLogin'

It returns a SessionID which you pass to various other API commands and I was able to get a list of my thermostats using GetLocations, then pass SessionID and ThermostatID to GetThermostat to get temperature from a particular thermostat.

Note that ApplicationId is specific to each particular API base URL. If you pass the wrong ApplicationId to the wrong API, you'll get an error that may or may not be clear what went wrong.

[jzwack]

Hi!

A few things to follow on above.

Our API keys and accounts are actually logically separated by region in TCC. Those of you with US TCC accounts and devices won't be able to use an API key from a UK app and vice versa. Some of the API resources may work, but the ones with /emea/ in the URI are designed for UK products.

Ideally, I'd like to get you your own API key(s) and use the OAuth login functionality instead of the sessions API or the mobile API wrapper.

[martin3000]

@jzwack Where can I get an applicationId / API key for mytotalconnectcomfort.com/WebApi ?

[mjcumming]

Any luck finding a way for devices registered in the US to work?