Forbid open action on web API

Hello I just got my new SmartLock 4.0, and connected it to web API to manage my domotic box observing the lock state, and to lock it in some cases.
But since lock is a sensitive feature, I’m not fully confident in allowing a web API that could open my lock (to let it observing or closing is OK), even if I know it uses encoding keys for such orders.
Is there a way to prevent on Nuki side the usage of the open/unlock function only for web API ? Else it would be a great improvement to add it.

Did I post my question on the wrong place ?…

Hello Guillaume,

How have you integrated with the Web API?
What are the scopes that you used? smartlock.readonly scope enables to view devices, and smartlock.action scope allows operation on devices, so you could not use this scope in your authorization.

I do not develop it, I use your app from on the Homey Pro store, so it would be an option to develop on your side if not existing yet on the Homey Nuki app.
But I would find it much more secure if this option would be on the Nuki server side, or even more on the Nuki bridge side.

Additionally, you only speak about an option of read only or full write access. I was speaking about an option of lock-only, to allow to lock the door, but not unlocking it.

I’m sorry but it is still not very clear. Are you asking for an integration from Nuki to Homey which wouldn’t allow unlock? If this is a feature request, recommend you to add it here: Feature requests - Nuki Developers

Sorry, I try to reformulate.

My question was firstly about if a feature exist or not. If it is not existing I will submit a feature request.

The feature is about restricting web API provided by the bridge to read and lock only, not accepting unlock from a web request. The best would be that this restriction is applied by the bridge itself, not by the Nuki server, or even more not by the application calling the Nuki server (to reduce as much as possible any possible breach).

Nuki is already integrated to Homey ecosystem, by an app provided by the Nuki team itself. But as far as I know, it allow anything: reading state, locking… and unlocking, which initiated my request.

Is it more clear ? Do you know any way to set this restriction somewhere ?

Note that I still want to be able to lock from outside. I only try to forbid the unlock action from external request.


Just to ensure I got it right, I will reiterate.
When you link Homey with Nuki via the Web API, you want Homey to be able to lock but not unlock. Is this correct?

Yes :slightly_smiling_face:


Sorry for the delay in the response.
Homey has integrated with the Nuki Web API, and provided the lock/unlock options.
Unfortunately, it with the partner (Homey) to not allow unlock option but you would need to set up a flow to unlock the device, only then it will unlock via Homey.
We allow our integrators to use our API to provide lock/unlock options and cannot forbid to unlock.

Ok, thank you. So I will fill a feature request.