How do you obtain valid x-august-api-key and x-kease-api-key

[jdhrivas]

Trying to POST /session using postman but the return is "Could not get any response"
There was an error connecting to https://api-production.august.com/session.

Headers:

[  
   {  
      "key":"x-august-api-key",
      "value":"727dba56-fe45–498d-b4aa-293f96aae0e5", // I found this value on https://medium.com/@nolanbrown/august-lock-rest-apis-the-basics-7ec7f31e7874
      "description":"",
      "enabled":true
   },
   {  
      "key":"x-kease-api-key",
      "value":"727dba56-fe45–498d-b4aa-293f96aae0e5", // I found this value on https://medium.com/@nolanbrown/august-lock-rest-apis-the-basics-7ec7f31e7874
      "description":"",
      "enabled":true
   },
   {  
      "key":"Content-Type",
      "value":"application/json",
      "description":"",
      "enabled":true
   },
   {  
      "key":"User-Agent",
      "value":"August/Luna-3.2.2",
      "description":"",
      "enabled":true
   },
   {  
      "key":"Accept-Version",
      "value":"0.0.1",
      "description":"",
      "enabled":true
   }
]

Body:

{
  "installId": "b7e2efe6-dd2c-11e7-9296-cec278b6b50a", // random UUID
  "password": "<PASSWORD>",
  "identifier": "phone:+1<PHONE>"
}

[jmaxxz]

Use the x-kease-api-key 14445b6a2dba

You will get a response like:

{
    "installId": "0",
    "applicationId": "",
    "userId": "...",
    "vInstallId": false,
    "vPassword": false,
    "vEmail": false,
    "vPhone": false,
    "hasInstallId": true,
    "hasPassword": true,
    "hasEmail": false,
    "hasPhone": false,
    "isLockedOut": false,
    "captcha": "",
    "email": [],
    "phone": [],
    "expiresAt": "2018-05-24T03:06:25.576Z",
    "LastName": "",
    "FirstName": ""
}

and an x-august-access-token header set the api key environment variable to the value of this header. Then run Send password reset email and run Verify Email with the received code.

The response will again include a x-august-access-token header that you should use as the api key environment variable.

Then run Send password reset phone and run Verify Phone with the received code.

The response will again include a x-august-access-token header that you should use as the api key environment variable.

after this you will be set.

[jmaxxz]

It looks like august may have changed this part of the api i will get back to you.

[jmaxxz]

ok in the request bodies for verify phone and verify email where is says

"value:"{{Email}}"
...
"value:"{{Phone}}"

it should be

"email:"{{Email}}"
..
"phone:"{{Phone}}"

august changed their apis.

[jdhrivas]

@jmaxxz excellent! I was able to obtained the x-august-api-key with the information provided.
Thank you!

[jobryan]

@jmaxxz Thanks for putting this Postman JSON together.

I followed your instructions from Jan 23rd above as follows:

(1) Sign-in using my credentials and x-august-api-key "14445b6a2dba".
(2) Send password reset email using the returned x-august-access-token (very long JWT with 3 parts separated by ".") and x-august-api-key "14445b6a2dba".

At Step 2, there's a long stall and then no response. Any ideas here?

POST /session
Response:

{
"installId": "0",
"applicationId": "",
"userId": "a315f74d-13b4-5c29-adf4-0bd25cbe91d6",
"vInstallId": false,
"vPassword": true,
"vEmail": false,
"vPhone": false,
"hasInstallId": true,
"hasPassword": true,
"hasEmail": true,
"hasPhone": true,
"isLockedOut": false,
"captcha": "",
"email": [],
"phone": [],
"expiresAt": "2018-08-04T02:16:21.393Z",
"LastName": "",
"FirstName": ""
}

which differs from your example above in that "vPassword" is true. Not sure if that's an issue or not...

Then, using the x-august-access-token from the response header:

POST /validation/email
Using Postman with

Headers:
Content-Type: application/json
x-august-api-key: 14445b6a2dba
x-august-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.

Body:
{
"email":"my@email.com"
}

Received "Could not get any response".

[ndroo]

Yeah i get the same long pause...not sure whats up with that.

[jmaxxz]

@jdhrivas @ndroo

POST /validation/email

should have a body of:

{
"value":"{{email}}"
}

[msutara]

@jmaxxz
Man, first thank you for this work! Second, have you noticed that token returned recently seems not to "stick"? It works fine when both phone and email are validated, but (as I used mine with HomeBridge") when I restarted service and tried to use it again, I received 401. I think that August added an "aggree" to their authorization workflow, does it make sense?

this is decoded token I'm now getting with my homebridge plugin as well as your API ...

{
"installId":"E629CCCC-A9E0-40F1-8BB8-43A24830346B",
"applicationId":"",
"userId":"",
"vInstallId":true,
"vPassword":false,
"vEmail":true,
"vPhone":true,
"hasInstallId":true,
"hasPassword":true,
"hasEmail":true,
"hasPhone":true,
"isLockedOut":false,
"captcha":"",
"email":[
],
"phone":[
],
"expiresAt":"2018-09-01T15:21:11.015Z",
"LastName":"User",
"FirstName":"Anonymous"
}

[jmaxxz]

How are you updating the token you are using? As for as I can tell everything works as it did before. If you are using postman be sure you are setting the authorization token to be used after each step in the login process.

[msutara]

What I posted is decoded token returned from your API. I refresh/use returned token every time, same as your code does. It appears that token remains “anonymous”. I observed that subscribing August in different apps (like ifttt) ends with “agree” page, which is not what either of us do. Posibble that’s the one returning cache-able user token? Thanks!

[jmaxxz]

I don't have an API, the tools in this repo interact directly with August's servers.

[msutara]

Ok, sorry, my bad. I meant tools from your repo using August rest api are returning the token I posted.

[jmaxxz]

Post the raw token

[jmaxxz]

So it is not as you said, that token had a user id specified and works just fine. However, from the token I can tell that you did not follow the directions and verify your email address.

Verify your email address. I would use https://lostphone.august.com/ to invalidate the token you previously shared as it was a working token, and would grant access to your account.

[jmaxxz]

This was is the decoded contents of the token you posted. In pretty much every way this token is functional.

{
  "installId": "<REDACTED install id>",
  "applicationId": "",
  "userId": "<REDACTED user id>",
  "vInstallId": true,
  "vPassword": false,
  "vEmail": true,
  "vPhone": true,
  "hasInstallId": true,
  "hasPassword": true,
  "hasEmail": true,
  "hasPhone": true,
  "isLockedOut": false,
  "captcha": "",
  "email": [],
  "phone": [],
  "expiresAt": "2018-09-04T14:50:50.233Z",
  "LastName": "User",
  "FirstName": "Anonymous"
}

[msutara]

Thank you very much @jmaxxz! Apparently I was not able to sign in with phone number, only email when using iPhone app. After I "reset" my login as suggested, appears that token is now working as you said.

Thank you very much again!

[jmaxxz]

@msutara remember JWT tokens will grant access to your account, so be careful when you share them. I only asked for the raw token because in your previous post you said the userId was empty. (This would have been a very interesting token that was not specific to your account.)

Treat JWT tokens that are for your accounts as if they were your password.

[msutara]

Yes, I understood that, thanks for deleting that ...

[federice]

Hi Guys specially my friend @jmaxxz ! How did you manage to get the x-kease-api-key 14445b6a2dba it doesn't seems to be valid anymore.

[jmaxxz]

@federice use 79fd0eb6-381d-4adf-95a0-47721289d1d9

[federice]

Man you are a genius !!! How come you managed to get that so quickly ? it's working fine. Well done!! Many thanks

…

__________________ *Fabio Federice* *E*: fabio@federice.net

On Fri, 22 Jun 2018 at 00:04, Jmaxxz ***@***.***> wrote: @federice <https://github.com/federice> use 79fd0eb6-381d-4adf-95a0-47721289d1d9 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Al2FMgWa_txp7XrXETIf-kG5N_WJXNa0ks5t_F6-gaJpZM4Q8SW0> .

[jmaxxz]

@federice simply capture traffic between the august app and their webservers.

The long form version:

1. Get yourself an old phone and install the august app on it.
2. Disable certificate validation system wide on your old phone. (Easier on Android than iOS)
3. Run mitm proxy on another machine
4. Configure your old phone with the proxy info from step 3.
5. Launch the app on your old phone
6. Mount lasers to sharks 🚥+ 🦈= 🌋

For most mobile apps or IoT things this is one of the best ways to get a practical understanding of how they work.

[juancortez]

I have been trying to get this to work but am stuck on the "validate" email or phone.

I posted /validation/email and got a valid code sent to my e-mail.

I tried posting this to the following validate/email.

{
"email":"email-addresss",
"code": "code-from-email"
}

and I am getting the following error in the body:

{
    "userId": "user-id",
    "_value": "email:email-address",
    "resolution": "token_incomplete"
}

Does anyone have any idea what I'm doing wrong? I am using the x-august-access-token from the validation/email response header.

[Bhstark]

This message is actually what you get when its working. You just copy the access token you get in response and use it in the rest of the API calls. The token is now considered valid