codetheweb
commented
5 years ago That's really cool; thanks for sharing @unparagoned. I'll add it to the README.
Open michmike opened 6 years ago
codetheweb
commented
5 years ago That's really cool; thanks for sharing @unparagoned. I'll add it to the README.
ghost
commented
4 years ago I haven't tested it, but it looks like Tuya released their docs for their API at some point.
Tuya Docs: https://docs.tuya.com/docDetail?code=K8v0h3gsie1b9
codetheweb
commented
4 years ago They've had those up for a while. :)
Although some endpoints do seem more thoroughly documented now.
ghost
commented
4 years ago You wouldn't happen to know if it costs money to use the API @codetheweb? I am having a tough time figuring that out by looking at their website.
I want to implement a library in C++ for the api, but I don't plan on selling it as a product, so I am only going to do it if it is free.
codetheweb
commented
4 years ago The API was free to use, then they added a $2000 paywall, and now it appears it might be free to use again.
It's not clear because it says to contact support to get the the API secret.
If you want to try, create an account on iot.tuya.com and make a new app under App Service.
sven5
commented
4 years ago This could be of interest: https://github.com/unparagoned/cloudtuya
mateusscheper
commented
4 years ago You can request an API user + secret for free. I got mine and tried to make requests using Postman, but I always get permission denied.
I contacted support for help but I really don't understand what to do.
I'm leaving the entire conversarion here. If anyone have a clue about what do to, please answer me, because I'm in the dark.
Support conversation:
Me 2019-11-12 02:02:02 Hi!
I'm trying to use the open API but I'm getting permission denied on some requests. I've been reading in the docs and I have to set "schema", but I'm using Smart Life App in my phone and Postman in my PC. How can I do this?
Thank you!
Tuya 2019-11-12 11:17:14 hi dear.When you call a device’s related interface and are prompted “Permission denied”, check the two dimensions of permissions following and ensure you are conforming to them. App dimension: Users linked with devices are the developer’s users on the Tuya Cloud app; developers have indirect permissions to operate the devices of their app users. Product dimension: the devices used by the products belong to the developer on Tuya Cloud product devices; developers have operation permissions on these devices.
Me 2019-11-12 12:50:36 Hi! Thank you for your reply.
I still don't quite understand. I'm following this tutorial: https://docs.tuya.com/en/iot/open-api/quick-start/quick-start Yet I can't make requests. What am I missing?
Thank you.
Tuya 2019-11-12 13:06:23 In brief, the product and app you develop must be under your account, and you can check it from the two dimensions I sent above.Smart Life App is tuya's app. You can't develop it~best wishes
Me 2019-11-13 22:55:19 Hi!
I'm not developing an app. I'm just using the open API to make requests.
Tuya 2019-11-14 10:26:07 hi dear The device API you call must be a product you created on the IOT platform, or it will be prompted “Permission denied”
Me 2019-11-15 13:07:48 Ah, you are saying I need to create an OEM app! I see now!
Well, I did, but it asks to reset my smart plug, but I cannot do this because it is already connected to Smart Life App. Can I use Smart Life App's schema inside API? I don't want to use my own app for this.
Tuya 2019-11-15 13:18:23 Hello,smart life belongs to tuya, which cannot make API calls from the application dimension. You need to create OEM app or app SDK. best wishes~
Me 31 minutes ago Hi!
Ok, I created an app. The app's package name is "com.mateus.smartplug", so I set schema in Postman as "mateussmartplug", but I'm still getting permission denied. What am I doing wrong?
Tuya 23 minutes ago hi dear pls refer to this link:https://docs.tuya.com/en/iot/open-api/tuya-open-platform-access-guide/simple-grant best wishes~
This is what I'm getting:
limkopi78
commented
4 years ago Just to chip in the discussion. You must have OEM a Tuya app (your own rebranded app) to be able to use the API. The user and devices must be registered under your own rebranded app in order for the API to work. Otherwise you only get permission denied.
The clientId and secret is tied to the name space of your own rebranded app
On Sat, Nov 16, 2019, 12:36 PM mateusscheper notifications@github.com wrote:
You can request an API user + secret for free. I got mine and tried to make requests using Postman, but I always get permission denied.
I contacted support for help but I really don't understand what to do.
I'm leaving the entire conversarion here. If anyone have a clue about what do to, please answer me, because I'm in the dark.
Support conversation:
Me 2019-11-12 02:02:02 Hi!
I'm trying to use the open API but I'm getting permission denied on some requests. I've been reading in the docs and I have to set "schema", but I'm using Smart Life App in my phone and Postman in my PC. How can I do this?
Thank you!
Tuya 2019-11-12 11:17:14 hi dear.When you call a device’s related interface and are prompted “Permission denied”, check the two dimensions of permissions following and ensure you are conforming to them. App dimension: Users linked with devices are the developer’s users on the Tuya Cloud app; developers have indirect permissions to operate the devices of their app users. Product dimension: the devices used by the products belong to the developer on Tuya Cloud product devices; developers have operation permissions on these devices.
Me 2019-11-12 12:50:36 Hi! Thank you for your reply.
I still don't quite understand. I'm following this tutorial: https://docs.tuya.com/en/iot/open-api/quick-start/quick-start Yet I can't make requests. What am I missing?
Thank you.
Tuya 2019-11-12 13:06:23 In brief, the product and app you develop must be under your account, and you can check it from the two dimensions I sent above.Smart Life App is tuya's app. You can't develop it~best wishes
Me 2019-11-13 22:55:19 Hi!
I'm not developing an app. I'm just using the open API to make requests.
Tuya 2019-11-14 10:26:07 hi dear The device API you call must be a product you created on the IOT platform, or it will be prompted “Permission denied”
Me 2019-11-15 13:07:48 Ah, you are saying I need to create an OEM app! I see now!
Well, I did, but it asks to reset my smart plug, but I cannot do this because it is already connected to Smart Life App. Can I use Smart Life App's schema inside API? I don't want to use my own app for this.
Tuya 2019-11-15 13:18:23 Hello,smart life belongs to tuya, which cannot make API calls from the application dimension. You need to create OEM app or app SDK. best wishes~
Me 31 minutes ago Hi!
Ok, I created an app. The app's package name is "com.mateus.smartplug", so I set schema in Postman as "mateussmartplug", but I'm still getting permission denied. What am I doing wrong?
Tuya 23 minutes ago hi dear pls refer to this link: https://docs.tuya.com/en/iot/open-api/tuya-open-platform-access-guide/simple-grant best wishes~
This is what I'm getting: [image: postman-tuya-open-api] https://user-images.githubusercontent.com/43916794/68988119-5a429280-0811-11ea-822f-f85f9b415264.jpg
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/codetheweb/tuyapi/issues/20?email_source=notifications&email_token=AHWN76NCTWGVWEPZEIJW6RDQT52DXA5CNFSM4ENSFISKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEHJJCA#issuecomment-554603656, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHWN76IW45TMHE4RXN4BYU3QT52DXANCNFSM4ENSFISA .
c3k
commented
4 years ago So if I want to use the Cloud API I can't use Google Assistant with the same device, since the device can't be in two apps at the same time, and a rebranded app will not appear in Google Assistant list. Correct?
codetheweb
commented
4 years ago Yes, AFAIK.
IanAdd
commented
4 years ago Is the development of the HA integration still active? I have a thermostat for underfloor heating (BHT002) which has two temp sensors, air and floor. HA is only seeing one - the air (room) temp. The smart-life app sees two, so does the app which was shipped with the device called my smart thermostat. In addition the thermostat obviously has three states, off/heating and idle. The HA integration only shows off or blank. The temperature value being doubled has been easily solved with a hack to climate.py, but beyond that I am lost as, I assume, the dialog with the cloud is currently not acquiring this extra sensor data. In hope !!
nk-gears
commented
4 years ago When i tried to Login and get a key from Tuya Developer Console, it says the following. Looks like they going to replace with a different platform.
" Cloud API Authorization has been upgraded to SaaS Development Platform,this entrance will be officially closed on 2020-05-30
codetheweb
commented
4 years ago 
banavalikar
commented
3 years ago For people trying to get the Tuya Cloud API working, the advice here 100% works - https://developer.tuya.com/en/docs/iot/open-api/quick-start/quick-start1?id=K95ztz9u9t89n
You have to make 2 calls -
Plus one optional call to find out the control API your device supports.
Hope this helps.
ramonetnet
commented
3 years ago I read a very interesting sentence here : "Tuya devices can be controlled via both MQTT and HTTPS API" As I see no MQTT traffic, must I deduce my device (Teckin SP21) is managed using HTTPS ? By the way : where can I find the description of this API ? Thanks !
ramonetnet
commented
3 years ago If the MQTT API is used, where can I find the names of the topics ?
Nigel1992
commented
3 years ago I can confirm you can control your Tuya devices using HTTP GET/POST with Cloud API [HTTPS].
A few things to keep in mind... 1. The API URL has to be changed to your region. https://openapi.tuyacn.com in China. https://openapi.tuyaeu.com in Europe. and so on...
2. HMAC can be generated using ClientID, current Unix time [in ms] and your Secret as the HMAC Key/Secret. In order to use actually control a device, you need to generate a new HMAC using ClientID, Access Token, Current Unix Time [in ms], and your Secret as the HMAC Key/Secret.
3. The script below is to control an RGB Bulb but should be nearly identical for other Tuya products. Simple use the Get device info on the API to see what your device supports.
GET /v1.0/devices/DEVICEID HTTP/1.1 Host: openapi.tuyaeu.com client_id: ClientID access_token: Access Token sign: Sign t: Current Unix Time [in ms] sign_method: HMAC-SHA256
Here's an example of my project:
newdevsa
commented
3 years ago Thanks to you all; I am able to login and get the device list and successfully connect to mqtt server as well, using information from this thread. My subscription to user topic pxxxxxx/mb/inxxxxx and on device topic is successful. I am now receiving messages on the mqtt queue. I want to capture the camera feed. All my Api calls are working (success), but have no clue how to connect with my camera. How can i use result from "tuya.m.ipc.config.get" or mqtt information to connect with my camera? I am new on webRTC. I am not able to wireshark or mitm (for tcp) my mobile app, but was able to decipher http calls with mitm.
codetheweb
commented
3 years ago @newdevsa I don't think anyone else has successfully gotten cameras to work.
donavanbecker
commented
2 years ago 
ground-creative
commented
2 years ago Here is a php client with an example to open a stream for your tuya smart camera from these docs https://developer.tuya.com/en/docs/iot/rtsp?id=Kacsdjcqllyql
https://github.com/ifsale/tuyapiphp
use ffplay -i rtsps://xxxxxxxxx to stream the link
panjanek
commented
2 years ago Hello everyone! I spent hours figuring out how my thermostate app (MySmartThermostat) communicates with tuya API. Resources from this thread were very helpful.
But it seems that different apps use different signing and encryption method so I share my findings:
sign_request = "||".join(out) #no appsecret here
hmac_key = "A_"+tuya_bmpkey+"_"+tuya_appsecret # here you have to use secret2 (encoded in the image file) and standard secret
signature = hmac.new(key=hmac_key.encode('utf-8'),msg=feed.encode('utf-8'),digestmod=hashlib.sha256).hexdigest() def encryptPostData(postData, requestId):
#create key from requestid and ecode. ecode is created together with session id upon login, as far as i can see it is valid undefinietly,
#so it's easier to sniff it than to request it
keyparts = "A_"+tuya_bmpkey+"_"+tuya_appsecret+"_"+tuya_ecode # secret1, secret2 and ecode used here
#generate key from request_id and secrets
keyHex = hmac.new(key=requestId.encode('utf-8'),msg=keyparts.encode('utf-8'),digestmod=hashlib.sha256).hexdigest()
shortKey = keyHex[0:16].encode('utf-8') #yes! you use only the first 16 characters of hexadecimal form as AES key
postDataStr = json.dumps(postData)
nonce = os.urandom(12)
plainBytes = postDataStr.encode('utf-8')
encryptedPostData, mac = AES.new(shortKey, AES.MODE_GCM, nonce).encrypt_and_digest(plainBytes)
encryptedPostDataWithNonce = nonce+encryptedPostData+mac
encryptedPostDataBase64 = base64.b64encode(encryptedPostDataWithNonce).decode("utf-8")
return encryptedPostDataBase64def decryptResult(result, requestId):
#create key from requestid and ecode
keyparts = "A_"+tuya_bmpkey+"_"+tuya_appsecret+"_"+tuya_ecode
#generate key from request_id and ecode
keyHex = hmac.new(key=requestId.encode('utf-8'),msg=keyparts.encode('utf-8'),digestmod=hashlib.sha256).hexdigest()
shortKey = keyHex[0:16].encode('utf-8')
encryptedBytes = base64.b64decode(result)
nonce = encryptedBytes[0:12]
encryptedPayload = encryptedBytes[12:]
decrypted = AES.new(shortKey, AES.MODE_GCM, nonce).decrypt(encryptedPayload[:-16]) #drop last 16 bytes, it's MAC signature
return decrypted.decode("utf-8") I fund large log file from some device using this mechanism here: http://jira.skyoss.com/secure/attachment/400894/2021-09-16_16-27-45_logcat.log
hope it'll help someone!
SakshiRathi77
commented
1 year ago I can confirm you can control your Tuya devices using HTTP GET/POST with Cloud API [HTTPS].
- Create a Developer account at https://developer.tuya.com/en/
- Contact Tech Support and ask for a free personal license at https://service.console.tuya.com/
- Once you have access the free personal license, go to https://developer.tuya.com/en/docs/iot/open-api/quick-start/quick-start1?id=K95ztz9u9t89n and follow the steps provided there.
A few things to keep in mind... 1. The API URL has to be changed to your region. https://openapi.tuyacn.com in China. https://openapi.tuyaeu.com in Europe. and so on...
HMAC can be generated using ClientID, current Unix time [in ms] and your Secret as the HMAC Key/Secret. In order to use actually control a device, you need to generate a new HMAC using ClientID, Access Token, Current Unix Time [in ms], and your Secret as the HMAC Key/Secret.
The script below is to control an RGB Bulb but should be nearly identical for other Tuya products. Simple use the Get device info on the API to see what your device supports.
GET /v1.0/devices/DEVICEID HTTP/1.1 Host: openapi.tuyaeu.com client_id: ClientID access_token: Access Token sign: Sign t: Current Unix Time [in ms] sign_method: HMAC-SHA256
Here's an example of my project:
[SETTINGS] { "Name": "Tuya Example", "SuggestedBots": 1, "MaxCPM": 0, "LastModified": "2020-12-28T17:43:33.8142682+01:00", "AdditionalInfo": "", "RequiredPlugins": [], "Author": "Nigel", "Version": "1.2.2", "SaveEmptyCaptures": false, "ContinueOnCustom": false, "SaveHitsToTextFile": false, "IgnoreResponseErrors": false, "MaxRedirects": 8, "NeedsProxies": false, "OnlySocks": false, "OnlySsl": false, "MaxProxyUses": 0, "BanProxyAfterGoodStatus": false, "BanLoopEvasionOverride": -1, "EncodeData": false, "AllowedWordlist1": "", "AllowedWordlist2": "", "DataRules": [], "CustomInputs": [], "ForceHeadless": false, "AlwaysOpen": false, "AlwaysQuit": false, "QuitOnBanRetry": false, "DisableNotifications": false, "CustomUserAgent": "", "RandomUA": false, "CustomCMDArgs": "" } [SCRIPT] #REQUEST_UNIXTIME REQUEST GET "https://openapi.tuyaeu.com/v1.0/token?grant_type=1" #PARSE_Unixtime PARSE "<SOURCE>" LR ",\"t\":" "}" -> VAR "unixtime" #FUNCTION_Sign FUNCTION HMAC SHA256 "YOURSECRETCODEFROMAPP" "YOURCLIENTID<unixtime>" -> VAR "sign" #Get_token REQUEST GET "https://openapi.tuyaeu.com/v1.0/token?grant_type=1" HEADER "Host: openapi.tuyaeu.com" HEADER "client_id: YOURCLIENTID" HEADER "sign: <sign>" HEADER "t: <unixtime>" HEADER "sign_method: HMAC-SHA256" PARSE "<SOURCE>" LR "access_token\":\"" "\"" -> VAR "access token" #FUNCTION_Sign FUNCTION HMAC SHA256 "YOURSECRETCODEFROMAPP" "YOURCLIENTID<access token><unixtime>" -> VAR "sign" #Random FUNCTION RandomNum "0" "255" -> VAR "random" REQUEST POST "https://openapi.tuyaeu.com/v1.0/devices/YOURDEVICEID/commands" CONTENT "{\"commands\":[{\"code\":\"colour_data\",\"value\":\"{\\\"h\\\":<random>,\\\"s\\\":255.0,\\\"v\\\":255.0}\"}]}" CONTENTTYPE "application/json" HEADER "Host: openapi.tuyaeu.com" HEADER "client_id: YOURCLIENTID" HEADER "access_token: <access token>" HEADER "sign: <sign>" HEADER "t: <unixtime>" HEADER "sign_method: HMAC-SHA256"The above script is for a program called OpenBullet: https://github.com/openbullet/openbullet Simply copy the code, save as .loli and copy to the Config folder of OpenBullet. Edit and have fun!
Incase you use uBot, I also made this in uBot. Let me know if you want the project.
This was written in a hurry, but feel free to ask any questions! :)
Fantastic work!!!!!,would you please tell me how you have generated sign and access token?
Nigel1992
commented
1 year ago I can confirm you can control your Tuya devices using HTTP GET/POST with Cloud API [HTTPS].
- Create a Developer account at https://developer.tuya.com/en/
- Contact Tech Support and ask for a free personal license at https://service.console.tuya.com/
- Once you have access the free personal license, go to https://developer.tuya.com/en/docs/iot/open-api/quick-start/quick-start1?id=K95ztz9u9t89n and follow the steps provided there.
A few things to keep in mind... 1. The API URL has to be changed to your region. https://openapi.tuyacn.com in China. https://openapi.tuyaeu.com in Europe. and so on... HMAC can be generated using ClientID, current Unix time [in ms] and your Secret as the HMAC Key/Secret. In order to use actually control a device, you need to generate a new HMAC using ClientID, Access Token, Current Unix Time [in ms], and your Secret as the HMAC Key/Secret. The script below is to control an RGB Bulb but should be nearly identical for other Tuya products. Simple use the Get device info on the API to see what your device supports. GET /v1.0/devices/DEVICEID HTTP/1.1 Host: openapi.tuyaeu.com client_id: ClientID access_token: Access Token sign: Sign t: Current Unix Time [in ms] sign_method: HMAC-SHA256 Here's an example of my project:
[SETTINGS] { "Name": "Tuya Example", "SuggestedBots": 1, "MaxCPM": 0, "LastModified": "2020-12-28T17:43:33.8142682+01:00", "AdditionalInfo": "", "RequiredPlugins": [], "Author": "Nigel", "Version": "1.2.2", "SaveEmptyCaptures": false, "ContinueOnCustom": false, "SaveHitsToTextFile": false, "IgnoreResponseErrors": false, "MaxRedirects": 8, "NeedsProxies": false, "OnlySocks": false, "OnlySsl": false, "MaxProxyUses": 0, "BanProxyAfterGoodStatus": false, "BanLoopEvasionOverride": -1, "EncodeData": false, "AllowedWordlist1": "", "AllowedWordlist2": "", "DataRules": [], "CustomInputs": [], "ForceHeadless": false, "AlwaysOpen": false, "AlwaysQuit": false, "QuitOnBanRetry": false, "DisableNotifications": false, "CustomUserAgent": "", "RandomUA": false, "CustomCMDArgs": "" } [SCRIPT] #REQUEST_UNIXTIME REQUEST GET "https://openapi.tuyaeu.com/v1.0/token?grant_type=1" #PARSE_Unixtime PARSE "<SOURCE>" LR ",\"t\":" "}" -> VAR "unixtime" #FUNCTION_Sign FUNCTION HMAC SHA256 "YOURSECRETCODEFROMAPP" "YOURCLIENTID<unixtime>" -> VAR "sign" #Get_token REQUEST GET "https://openapi.tuyaeu.com/v1.0/token?grant_type=1" HEADER "Host: openapi.tuyaeu.com" HEADER "client_id: YOURCLIENTID" HEADER "sign: <sign>" HEADER "t: <unixtime>" HEADER "sign_method: HMAC-SHA256" PARSE "<SOURCE>" LR "access_token\":\"" "\"" -> VAR "access token" #FUNCTION_Sign FUNCTION HMAC SHA256 "YOURSECRETCODEFROMAPP" "YOURCLIENTID<access token><unixtime>" -> VAR "sign" #Random FUNCTION RandomNum "0" "255" -> VAR "random" REQUEST POST "https://openapi.tuyaeu.com/v1.0/devices/YOURDEVICEID/commands" CONTENT "{\"commands\":[{\"code\":\"colour_data\",\"value\":\"{\\\"h\\\":<random>,\\\"s\\\":255.0,\\\"v\\\":255.0}\"}]}" CONTENTTYPE "application/json" HEADER "Host: openapi.tuyaeu.com" HEADER "client_id: YOURCLIENTID" HEADER "access_token: <access token>" HEADER "sign: <sign>" HEADER "t: <unixtime>" HEADER "sign_method: HMAC-SHA256"The above script is for a program called OpenBullet: https://github.com/openbullet/openbullet Simply copy the code, save as .loli and copy to the Config folder of OpenBullet. Edit and have fun! Incase you use uBot, I also made this in uBot. Let me know if you want the project. This was written in a hurry, but feel free to ask any questions! :)
Fantastic work!!!!!,would you please tell me how you have generated sign and access token?
HEADER "Host: openapi.tuyaeu.com"
HEADER "client_id: YOURCLIENTID"
HEADER "sign:
PARSE "
nk-gears
commented
1 year ago Here a nodejs snippet which helps to connect to tuya cloud and control the device
https://gist.github.com/nk-gears/a185c83d3e521c47d64d252197e87c88
@SakshiRathi77 , it contains the code to generate HMAC signature
hi there,
First thank you for your valuable contributions to the tuya library. I realize this is a long shot, but i am wondering if anyone had success in calling the tuya cloud API? i used fiddler and i was able to decipher a lot of the information on the calls, but there is one thing missing.
How is tuya calculating the MD5 hash? I was not able to replicate their "sign" parameter to the URL and the details on this as slim. Most of the info is located at https://docs.tuya.com/en/cloudapi/cloud_access.html#access-mode (search for accesskey) but i could not get it to work following the example. (I had to order my parameters, i used localKey as the accessKey, and then i did a utf-8 encoded MD5 hash). For the time, i got it in seconds using Unix epoch time.
Once i complete my work, i will share the PowerShell script that can be replicated into standard http/json requests.