Hi.
I sucessfully made some calls via the API to the gateway (created token, then called a “fade” action on the demo http singlething).
But my calls on the “thing” itself via it’s own ip get a “Forbidden” error.
So how does it work ? Is there a token to generate on the “thing” server directly of should i use the token generated on the gateway ?
What if I want to use a “thing” without a gateway at all ? Is it possible ?
Thanks a lot 
Best regards.
The WebThings API is just that, an API exposed by the WebThings gateway. You cannot use it’s token to communicate directly to a thing.
Most (all?) things managed by WebThings use an addon/driver that interfaces to things of the same type e.g.: I added a “Z-Wave” addon to control z-wave devices. You can inspect what addons are running by doing a “ps -aef | grep node”.
You will need to implement the node addon yourself to communicate and manage a collection of similar things.
Or, just obtain the API from the device manufacturer and write a custom program to control it. Good luck in this endevor
I recently wrote a bash script that monitors X10 CM15 controller using Mochad and translates output to WebThing API calls to toggle z-wave devices. If you obtaine an API from the manufacturer these scripts can be somewhat straight forward to cobble together as long as your programming literate.
Thanks a lot for this answer Eric. It’s very clear.
Out of interest @artcontr, what “thing” are you using? Is it an existing off-the-shelf device, or something you have created yourself with the WebThings Framework?
If it’s the former then you will need an adapter add-on as @EricEdberg says, but if it’s the latter then you should be able to communicate with the thing directly without a token.
Hi @bfrancis . Thank you for our answer.
I used the WebThings Framework (the java one, I used the example simple thing).
So I should be able to communicate with it without a token ?
Maybe it’s not working because i’m trying to access it from an external ip address (not lan) ?
Thanks so much for your help !
@artcontr Yes, web things act as a web server and expose the same Web Thing API as the gateway. By default this is unauthenticated and only accessible on your local network so you shouldn’t need a token, but unless you’ve set up some kind of port forwarding the web thing wouldn’t be accessible from the internet.
WebThings Gateway has a built-in web thing adapter which can safely bridge a local web thing to the internet using HTTPS and the token you were using before, but you first need to add the web thing to the gateway using its local URL.
If you send a properly formed API request to your thing using its local IP address then you shouldn’t get a Forbidden error. Let us know how you get on.
@bfrancis It makes sense. I was trying to access the thing directly from his internet ip with a port forwarding.
But i guess the server blocks the api request when it comes from the internet right ?
(I get a “403: Forbidden” error as an answer)
(I get "web.py:2239 WARNING 403 POST /actions/fade (54.86.50.139) " on the server log)
Would there be a way to configure the server so we can use the api from the internet ? Maybe with a token generated in the server ?
While this is a stretch, I’ve used the “Virtual Things” addon to define switches/lights that, when activated, trigger “Run Program” addon instances which then execute custom programs.
In my case, each virtual thing is hard coded to a specific action as I don’t know of a way to create custom virtual thing parameters and then pass them to a shared/common program that could then parse options.
This is a poor way to expose a custom device over the internet, but it should work on a 1-off small scale.
I’m sure you realise this, but this means you are exposing an unauthenticated web server to the internet which anyone could access.
I’ve not actually used the webthing-java library myself so I’m not familiar with how it works, but it appears that in January @mrstegeman added a feature to disabled host validation in the web server, which may do what you’re looking for. Alternatively it appears you can whitelist the host you want to allow.
Currently none of the web thing libraries have built-in support for authentication (e.g. using tokens), you need to implement that yourself. We’re interested in adding support for this directly into the web thing libraries and exposing security metadata to the Thing Description if you were interested in contributing.
Thanks for you answer.
you are exposing an unauthenticated web server to the internet which anyone could access
Haha I know, it’s a temporary gcp vm i’m using just for quick tests so no impact if it gets hacked
@mrstegeman added a feature to disabled host validation in the web server
I’ll have a look tks
if you were interested in contributing
I’d love too but i’m not a dev so for now i’m only using what’s available (my skills in code are only copy-paste based). But i’m planning to get into it more in the next month so… i’ll keep this in mind