Hey team Homey!
I love the Homey API! But I would love it even more if some of the scopes currently reserved for the official Homey apps could be made available to us. Some notable omissions in the scopes available for third party devs include moods, and creating/updating (advanced) flows.
Do you have adding these on a roadmap?
Thanks a lot!
Yes, I’ve posted this before as well. They said that it’s not permitted for security reasons. For now I’m trying to reverse engineer the API from the web app to get access to all features of my Homey Pro 2019.
I get the security implications for things like installing apps (you could easily create a small botnet if tokens leak), but accessing moods and even creating flows seem relatively safe to me. The havoc you can wreak with a leaked key seems to be about the same as with the homey.device.control scope 
Did you know Athom doesn’t review the code of community apps? There’s a hidden route (that’s not visible to regular users) in the Homey Developer Tools, which is the page they use for reviewing apps. I couldn’t see anything other than the app manifest there. So I think if someone would really have bad intentions, they would just build an app for something many users asked for. That would be far more effective for attackers than trying to get users to add a malicious OAuth app
Edit: something similar has actually happened before (while that was about spamming the timeline):
Looking deeper into it, a possible flow could be: ask for OAuth permissions first to resolve the (local/remote) url, and use a locally generated API key for the advanced scopes.
This would only work on 2023+, but it’s not too bad as a workaround.
That won’t work in my case since I have a Pro2019, but if you have a Pro2023 or later then it might work. But I don’t think you can generate a local API key from the cloud API (the official one), for that you’d need to reverse engineer the web app API
Call me blonde, but I don’t understand why AI tools are allowed to set, change and create such things:
More importantly: why are the AI tools allowed to do that, but other apps aren’t? For an app I’m currently building, I would need at least these permissions:
Those are a lot of permissions, way more than the regular Web API offers. This means there is no other way to do it other than by reverse engineering the web app’s API.
In my opinion, a developer should have the option to allow all scopes. When authorizing with Homey, there should be a big red warning banner stating that the app has full control over their entire Homey and to make sure they trust the app before continuing. Athom should also check API clients before they get published (like with Homey apps) to check that they only have the scopes that they need. But to just block most scopes for third party developer is a bit too much security IMO.
The scopes currently offered is not even close to what I would need to create a Transfer Tool for transferring data between Homeys
I think it’s only fair that Homey, as creators and guardians of this platform, have way more access than we do They live and breathe this product, and probably think of edge-cases we don’t even imagine.
As for the MCP server, most/all agents ask you for permission for every MCP command, so you’re still behind the wheel. I don’t see anything wrong with that perse (especially if it’s coming from Athmon).
But to get this conversation back on the track: it would be nice if we developers could ask for additional scopes. They don’t need to be in the form, but just some formalized way of requesting them would be of tremendous help 
It will work.
The local API key is just a Bearer token. So you don’t need the oAuth process with client_id, token handling and reading Homey data first (to get the cloud URL for your Homey)
Only thing you need to know is the cloud URL. Some newer models are using rehion specific URLs.
But then you also can access the Homey via WWW and cloud API (REST service).
Under which scope is that then?
Most of them are readonly and I see nothing about local API keys here
Having access to scopes like moods and advanced flow management would open up a lot more possibilities for third-party apps. It would be great to know if this is something planned or being considered for future updates.
The local API key is just used as Bearer token.
When creating the key in HP23/HP26, you can set scopes.
