akuvox the token is updated every week

Checklist

[x] I have filled out the template to the best of my ability.
[x] This only contains 1 feature request (if you have multiple feature requests, open one feature request for each feature request).
[x] This issue is not a duplicate feature request of previous feature requests.

Is your feature request related to a problem? Please describe.

the token is updated every week

Describe the solution you'd like

call https://gate.ecloud.akuvox.com:8600/refresh_token {"refresh_token": "refresh token"}

headers x-auth-token: old token user-agent: VBell/7.12.2 (iPhone; iOS 18.5; Scale/2.00) and etc

returned {"datas":{"refresh_token":"new refresh token","token":"new token","token_valid":"604800"},"err_code":"0","message":"success"}

Describe alternatives you've considered

it would be nice to be able to refresh the token via a service, for example

action: akuvox.update_tokens data: entry_id: entity_id token: token

Additional context

you can get refresh token and basic token after login in SmartPlus via mitmproxy

must be call every 7 days and update token with refresh token

Jun 02 '25 19:06 XOTAB1CH

Claude implemented this in https://github.com/jul-sh/akuvox, but haven't tested yet

Aug 27 '25 01:08 jul-sh

I tried the above version https://github.com/jul-sh/akuvox, and it doesn't seems to work. I tried running manually the async_refresh_token call to Akuvox refresh token server, and I seems to be only getting a cryptic "http req version is out of request" message instead of the new token.

Oct 07 '25 06:10 wh1t35m1th

That sounds like it’s mismatch when negotiating the HTTP protocol, should be easy to debug and fixable.

ChatGPT gives more pointers https://chatgpt.com/s/t_68e4ff31c2488191b2c083013468ec1d

On Tue, Oct 7, 2025 at 2:17 AM wh1t35m1th @.***> wrote:

wh1t35m1th left a comment (nimroddolev/akuvox#95) https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3375367847

I tried the above version [https://github.com/jul-sh/akuvox], and it doesn't seems to work. I tried running manually the async_refresh_token call to Akuvox refresh token server, and I seems to be only getting a cryptic "http req version is out of request" message instead of the new token.

— Reply to this email directly, view it on GitHub https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3375367847, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACDW3DXMHC5VXJXYYVX7FBT3WNLHPAVCNFSM6AAAAAB6N3ETISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNZVGM3DOOBUG4 . You are receiving this because you commented.Message ID: @.***>

Oct 07 '25 11:10 jul-sh

I think it goes beyond mismatch of HTTP protocol.

- On the HTTP protocol: I have checked it should be HTTP/2, whereas by default Claude code is on HTTP/1.1

- Logic of Token Refresh: But I still don't understand. My illustration per below.

Upon SMS Login, we are presented with three tokens:

"auth_token": Token A
"refresh_token": Token B
"token": Token C

So for operation (door opening, etc), token used is:

"token": Token C

During refresh token call:

POSTED tokens are:

"x-auth-token": Token C
"auth-token": Token A

RESPONSE tokens are:

"refresh_token": Token D
"token": Token E

From now on, operation (door opening, etc), token used is:

"token": Token E

Subsequent refresh token call:

POSTED tokens are:

"x-auth-token": Token E
"auth-token": Token A

RESPONSE tokens are:

"refresh_token": Token F
"token": Token G

So what is the point of "refresh_token" there? I just rotates, but never used.

Oct 10 '25 11:10 wh1t35m1th

That’s an excellent breakdown, thank you.

It sounds like you were able to make progress on the HTTP version mismatch which is awesome. It’s not surprising there’s an issue beyond that though; but we can debug step by step.

I agree that the logic where the refresh token just rotates seems wrong. Let’s try to figure out how it should be done. @XOTAB1CH do you have any pointers? I learned about the refresh API from OPs comment, unsure how he learned about it or if there’s documentation on it somewhere.

Absent more information the fastest way may be to try a few different combinations of what token to use where in and after refresh calls by making commands on the CLI with curl. We know that right now door opening etc stops working after a while, presumably after the first or second call to refresh.

On Fri, Oct 10, 2025 at 4:28 AM wh1t35m1th @.***> wrote:

wh1t35m1th left a comment (nimroddolev/akuvox#95) https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3389515685

I think it goes beyond mismatch of HTTP protocol.

- On the HTTP protocol: I have checked it should be HTTP/2, whereas by default Claude code is on HTTP/1.1

- Logic of Token Refresh: But I still don't understand. My illustration per below.

Upon SMS Login, we are presented with three tokens:

"auth_token": Token A

"refresh_token": Token B

"token": Token C

So for operation (door opening, etc), token used is:

"token": Token C

During refresh token call:

POSTED tokens are:

"x-auth-token": Token C

"auth-token": Token A

RESPONSE tokens are:

"refresh_token": Token D

"token": Token E

From now on, operation (door opening, etc), token used is:

"token": Token E

Subsequent refresh token call:

POSTED tokens are:

"x-auth-token": Token E

"auth-token": Token A

RESPONSE tokens are:

"refresh_token": Token F

"token": Token G

So what is the point of "refresh_token" there? I just rotates, but never used.

— Reply to this email directly, view it on GitHub https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3389515685, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACDW3DTPBJOGJ72EO3KFB6D3W6J5TAVCNFSM6AAAAAB6N3ETISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOBZGUYTKNRYGU . You are receiving this because you commented.Message ID: @.***>

Oct 10 '25 12:10 jul-sh

Oh never mind. I eventually downloaded the Akuvox Smartplus for Android (APK), and I decompile it to get the code from their app. Turns out there are three possibility for token refresh.

Using the refresh_token
Using encrypted username and password
Using the auth_token

I guess when I eavesdrop my iOS app connection somehow the app happened to be using auth_token for the token refresh. Subsequent manual JSON post using the refresh token works (illustration per below).

Refresh Token: - POST:

x-auth-token: Token A
refresh_token: Token B

- RESPONSE:

refresh_token: Token C
token: Token D

Refresh Token: - POST:

x-auth-token: Token D
refresh_token: Token C

- RESPONSE:

refresh_token: Token E
token: Token F

I manage to update the code to get a valid response from the server, but I got the error message below. So still figuring out where did it go wrong in the code.

2025-10-10 23:26:37.570 WARNING (MainThread) [custom_components.akuvox] 🤨 Response: {'err_code': '1000100003', 'message': 'refreshToken error.'}

Oct 11 '25 04:10 wh1t35m1th

Excellent sleuthing and progress!

To make sure I understand correctly: you managed to get the refresh logic working with manual post requests (excellent!), but you ran into issues when updating the implementation code?

Could you share the code of the updated implementation? I could take a look at it in a couple of days. Given manual posts work, we should definitely be able to debug the code implementation, eg with logs that document the sequence of calls it makes and diff that with the working manual calls.

On Fri, Oct 10, 2025 at 9:09 PM wh1t35m1th @.***> wrote:

wh1t35m1th left a comment (nimroddolev/akuvox#95) https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3392883520

Oh never mind. I eventually downloaded the Akuvox Smartplus for Android (APK), and I decompile it to get the code from their app. Turns out there are three possibility for token refresh.

Using the refresh_token

Using encrypted username and password

Using the auth_token

I guess when I eavesdrop my iOS app connection somehow the app happened to be using auth_token for the token refresh. Subsequent manual JSON post using the refresh token works (illustration per below).

Refresh Token: - POST:

x-auth-token: Token A

refresh_token: Token B

- RESPONSE:

refresh_token: Token C

token: Token D

Refresh Token: - POST:

x-auth-token: Token D

refresh_token: Token C

- RESPONSE:

refresh_token: Token E

token: Token F

I manage to update the code to get a valid response from the server, but I got the error message below. So still figuring out where did it go wrong in the code.

2025-10-10 23:26:37.570 WARNING (MainThread) [custom_components.akuvox] 🤨 Response: {'err_code': '1000100003', 'message': 'refreshToken error.'}

— Reply to this email directly, view it on GitHub https://github.com/nimroddolev/akuvox/issues/95#issuecomment-3392883520, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACDW3DS2WAHE7P4KUBE7IBT3XB7HNAVCNFSM6AAAAAB6N3ETISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOJSHA4DGNJSGA . You are receiving this because you commented.Message ID: @.***>

Oct 11 '25 08:10 jul-sh

I forked this code into my own repository --> https://github.com/wh1t35m1th/akuvox.git And attached is the latest code (still not working fully).

I hardcoded my subdomain because I am having issue with the way REST_SERVER_ADDR is pulled from const.py
First token refresh call seems to work, but subsequently it get logged out (?)

Oct 13 '25 05:10 wh1t35m1th

I put my trusted assistant on this, who was able to write the following two python scripts. One for requesting an original login code, and then another for rotating the token three times and then opening a door to confirm rotation works.

https://gist.github.com/jul-sh/982c326db865fdfd19de43843e0388fe

The flow works flawlessly for me; am I right to deduct that then the only issue left is debugging the integration code to see where it diverges?

Nov 04 '25 20:11 jul-sh