New Yale Connect Bridge API Changes?

[PlasmaSoftUK]

I came across this repository while trying to find a working plugin for Homebridge and my new Yale Connect Bridge. I have a Yale Conexis L1, with the new Orange Module and a AC-R1 WiFi Bridge. I understand this is the same bridge as the August locks. None of the currently available plugins seem to work:

homebridge-yale-connect homebridge-yale-home homebridge-yale-lock homebridge-august

I've been trying to identify the request and responses using Fiddler, Charles and MITM and I was hoping to tweak an existing one to get the lock in to HomeKit. I've managed to get the Web Auth working in Postman using:

https://account-api.aaecosystem.com/login https://account-api.aaecosystem.com/validate/email (or phone) https://account-api.aaecosystem.com/user <-- Can successfully GET this and it returns some JSON which includes account details and profile pic url

However the rest of the API calls like /user/me, /user/locks/mine and /homes/mine etc return:

{
    "code": "ResourceNotFound",
    "message": "/user/locks/mine does not exist"
}

But when using the Yale Home App it calls api.aaecosystem.com (without the account- on the front), I also tried this base URL and I can auth but again none of the additional calls seem to work.

I was hoping I could use the Yale Home App on my phone with MITM or Charles to identify the lock and the unlock commands but it appears to have some additional TLS security and rejects the certificates. Have you had any dealings with this, or is there anything else I can help you with to try and get this working against the newer Yale API?

[m10x]

Hm, all the api calls are working for me with api.aaecosystem.com. Can you share the exact requests you are sending? You can easily check if the endpoints exists with curl or your browser, without getting an api token E.g. https://api.aaecosystem.com/users/locks/mine returns {"code":"MissingParameter","message":"x-august-api-key header is required"} => it exists while https://api.aaecosystem.com/users/locks/minefoo returns {"code":"ResourceNotFound","message":"/users/locks/minefoo does not exist"} => does not exist

[PlasmaSoftUK]

@m10x interesting, seems some of the headers were upsetting it as I left the account- on the front of the referrer. But I still can't get it to work. It Asks for the 'x-august-api-key' but even if I send the token I get from the Auth it still refuses it.

{ "code": "Forbidden", "message": "API key is not valid" }

[m10x]

I'm always taking the headers from the HASS August Integration log output, so I've never done the authentication myself. The headers I'm using with https://api.aaecosystem.com look like the following

Host: api.aaecosystem.com
Accept-Version: 0.0.1 (Or 4.0.0 for the activities API endpoint)
x-august-api-key: 1234abcd-12ab-12ab-12ab-123456abcdef
Content-Type: application/json; charset=UTF-8
User-Agent: August/Luna-22.17.0 (Android; SDK 31; gphone64_arm64)
x-august-country: US
x-august-branding: yale
x-august-access-token: eyJ0...JWT with the Infos installId,region,applicationId,userId,vInstallId,vPassword,vEmail,vPhone,hasInstallId,hasPassword,hasEmail,hasPhone,isLockedOut,captcha,email,phone,expiresAt,temporaryAccountCreationPasswordLink,iat,exp,step,LastName,FirstName...IjQ

[m10x]

For /users/locks/mine only Accept-Version, X-August-Api-Key and X-August-Access-Token are required. Only when having an invalid X-August-Api-Key the error message you get is returned. But as I've never done the auth flow, I don't know what might have gone wrong there