If I define an app api with setting public like this:
Then, why do I still have to declare the permission to
In the other apps that want to use this public API?
And secondly, in case this is the intended behavior: Can I use webhooks instead to communicate between apps that do not have permissions set up? (I just want to let the first app know if the other app is installed, and by adding permissions then I end up in a situation where some users will no longer be getting automatic updates, which would be a shame.)
You need that permission only if you want to use
this.homey.api.* methods. I think they provide a shortcut to the API instead of making HTTP requests (it may also provide access to non-public endpoints, but you’d have to test that to make sure).
Making an endpoint public serves a different goal (namely making it accessible for the outside world, through HTTP).
And to answer your second question: you can use webhooks, but they are limited (AFAIK you can’t return any data in the response). You can, however, use another app’s public API by making HTTP calls to it.
Cool, thanks, I tested by using the HTTP request instead (using http://localhost/api/app/my_app_id/getSomething ) and it worked nicely without permission. I’ll route the traffic through there instead… Whitch makes it odd that they restrict the permissions in this.homey.api.* when “public” is set to true.