Thanks!! Playing with it, filed some issues @ Git 
The wiki is awesome, hats off!
Concerning retrieving the bearer token, I found a neat scrip here.
Adjusted it a little bit, for when one uses 2FA authentication.
View Script
// Retrieve my Bearer token (access token) -> gets available in Homeyscript tag 'bearertoken'
//
// 2FA specific info:
// When using 2FA with your account: Enter your 2FA code by means of a (flow card) argument, otherwise ignore it
const twofaKey = args[0] ?? '';
//
// -------- o - Configure these parameters -------- o -------- o
//
// About configuring:
// A client_id and client_secret can be found at https://tools.developer.homey.app/api/projects
// Your cloudid can be found right after this URL part https://my.homey.app/homeys/
// or here https://tools.developer.homey.app/tools/system
// or here https://my.homey.app -> cogwheel -> System -> General
//
let email = 'Your_Homey_emailaddress'
// password: With 2FA enabled, just append the 6-figure number to your pw
// use args[0] to be able to enter it as flow argument
let password = 'your_Homey_password' + twofaKey ////Don't touch the "+ twofaKey" part pls!
let client_id = 'client_id'
let client_secret = 'client_secret'
// redirect_url: With 2FA enabled, use 'http://localhost/oauth2/callback', otherwise use 'http://localhost/'
let redirect_url = 'http://localhost/oauth2/callback'
let cloudid = 'your_cloud_id'
// -------- o -------- o -------- o -------- o -------- o
const between = function(str, strf, strt) {
return str.split(strf).pop().split(strt)[0].trim();
}
const authurl = 'https://accounts.athom.com/login'
console.log("POST authentication " + authurl)
const response2 = await fetch(authurl, {
"headers": {
"accept": "application/json, text/javascript, */*; q=0.01",
"content-type": "application/x-www-form-urlencoded; charset=UTF-8",
},
"referrerPolicy": "no-referrer-when-downgrade",
"body": 'email=' +encodeURIComponent(email) + '&password=' + encodeURIComponent(password) + '&otptoken=',
"method": "POST",
"mode": "cors",
"credentials": "omit"
})
const body2 = await response2.text()
const token = JSON.parse(body2)
const authorizeurl = 'https://accounts.athom.com/oauth2/authorise?client_id=' + client_id +
'&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token
console.log(" Response from accounts.athom.com/login ", body2)
console.log("GET Authorization " + authorizeurl)
const response3 = await fetch(authorizeurl, {
"headers": {
},
"method": "GET",
"mode": "cors",
"credentials": "include"
})
const body3 = await response3.text()
let csrf = between(body3, 'name="_csrf" value="', '">')
let cookiecsrf = null;
let raw = response3.headers.raw()['set-cookie'];
for (let cookie of raw) {
if (cookie.startsWith('_csrf=')) {
cookiecsrf = cookie.match(/=(.+?);/)[1];
break;
}
}
let cookie4 = '_csrf=' + cookiecsrf
// console.log("Cookie4", cookie4)
console.log(" CSRF input parameter", csrf)
console.log(" CSRF cookie", cookiecsrf)
let authorizeurl2 = 'https://accounts.athom.com/authorise?client_id=' + client_id + '&redirect_uri=' + encodeURIComponent(redirect_url) + '&response_type=code&user_token=' + token.token
console.log("GET Authorization", authorizeurl2)
const response4 = await fetch(authorizeurl2, {
"headers": {
"content-type": "application/x-www-form-urlencoded",
"cookie": cookie4
},
"redirect": "manual",
"body": "resource=resource.homey." + cloudid + "&_csrf=" + csrf + "&allow=Allow",
"method": "POST",
"mode": "cors",
"credentials": "include"
});
const body4 = await response4.text()
let code = response4.headers.get('location').split('=')[1]
console.log(" Response from authorization. Redirect to ", response4.headers.get('location'))
console.log(" Response content ", body4)
console.log(" Parsed the following code ", code)
let tokenendpoint = 'https://api.athom.com/oauth2/token'
console.log("POST token (resolve code to token) " + tokenendpoint)
const response5 = await fetch(tokenendpoint, {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": 'client_id=' + encodeURIComponent(client_id) + '&client_secret=' + encodeURIComponent(client_secret) +
'&grant_type=authorization_code&code=' + encodeURIComponent(code),
"method": "POST",
"mode": "cors",
"credentials": "include"
});
//console.log("Response5", response5)
const body5 = await response5.text()
let accesstoken = JSON.parse(body5)
let delegationEndpoint = 'https://api.athom.com/delegation/token?audience=homey'
const response6 = await fetch(delegationEndpoint, {
"headers": {
"content-type": "application/x-www-form-urlencoded",
"authorization": "Bearer " + accesstoken.access_token
},
"referrerPolicy": "no-referrer-when-downgrade",
"body": "client_id=" + client_id + " &client_secret=" + client_secret + "&grant_type=refresh_token&refresh_token=" + accesstoken.refresh_token,
"method": "POST",
"mode": "cors",
"credentials": "include"
});
const body6 = await response6.json()
console.log(" JWT token is " + body6)
let endpoint7 = 'https://' + cloudid + '.connect.athom.com/api/manager/users/login'
console.log("POST login endpoint " + endpoint7)
const response7 = await fetch(endpoint7, {
"headers": {
"content-type": "application/json",
//"authorization": "Bearer " + accesstoken.access_token
},
"body": JSON.stringify({"token": body6}),
"method": "POST"
});
const body7 = await response7.json()
console.log(" Response status " + response7.status)
console.log(" Response: " + body7)
await tag("bearertoken", body7)
return true
