I am writing a SmartHome skill and need an access token to post asyncrhonous notifications for a device (doorbell). The documentation is confusing - but from what I have infered - I am supposed to get my client_id and client_secret from the Alexa console, and get the Bearer Token during the initial skill connection/authorization, then request the access token (and refresh token) via OAuth. So I can get these three pieces of info, but then I try to do:
curl -vv X POST -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -d "\
grant_type=authorization_code\
&code=$CODE\
&client_id=$CLIENT_ID\
&client_secret=$CLIENT_SECRET" \
https://api.amazon.com/auth/o2/token
Where CODE came from the initial authorization request as:
"payload": {
"grant": {
"code": "<<REDACTED>>",
"type": "OAuth2.AuthorizationCode"
},
But this always gives me:
{"error_description":"The request has an invalid parameter : code","error":"invalid_grant"}
If I remove the code parameter it complains it's missing, and if I change the code to something invalid, the error changes from invalid_grant to invalid_request. So it understands the code - but doesn't like something about this whole flow.
(I know the client_id, client_secret and grant_types are valid, because when I change them to something deliberately erroneous, I get some expected error).
Any idea what I'm doing wrong??
The code can only be used once - whether it succeeds or not. So even if you use it and your request is botched or otherwise doesn't work - you cannot reuse it. The only was I was able to handle this was to disable the skill, re-enabled it, then snoop and use the new code given.