Authorization ​
The OAuth2 Authorization Code Grant Flow with device-specific permissions.
A
The client application requests authorization to access the Miele 3rd Party API
| KEY | EXPLANATION | COMMENT |
|---|---|---|
| client_id | The client ID you received after the registration | |
| response_type | Indicates that your application expects to receive an authorization code | |
| redirect_uri | Indicates URL to return the user to after authorization is complete | |
| state | A random string generated by your application which you'll verify later | optional |
| scope | The scope (permission) the application wants to access. You can have multiple values separated by %20 (blank) to request multiple scopes. The following scopes can be requested: Mcs_thirdparty_read: Read permissions required for retrieving appliance states, available actions, programs and further appliance details Mcs_thirdparty_write: Write / execute permissions required to trigger actions (e.g. power on the appliance, start a program)Mcs_thirdparty_media: Permissions required to access media generated by the appliance (e.g. oven camera image)A detailed mapping of scopres required to access the endpoints can be found in the swagger documentation. | required |
B
The user authenticates using their username, password, and the Miele subsidiary associated with their account. As part of the OAuth2 authorization flow, the authorization server redirects the user to a dedicated consent page. On this page, the user explicitly grants your application permission to access the Miele Third-Party API. Additionally, the user can select which of their connected appliances your application is allowed to access. This means access is scoped per device, and your application may not receive access to all appliances in the user's account—only to those explicitly approved.
| KEY | EXPLANATION | COMMENT |
|---|---|---|
| The e-mail address belonging to the Miele user account | ||
| password | The corresponding password | |
| country | The Miele subsidiary the Miele user account belongs to |
C
The Authorization server redirects to the client application and is passing the authorization code
| KEY | EXPLANATION | COMMENT |
|---|---|---|
| code | The server returns the authorization code in the query string | |
| state | The server returns the same state value that you passed | optional |
D
The client application is requesting an access_token by using the authorization code.
| KEY | EXPLANATION | COMMENT |
|---|---|---|
| client_id | The client ID you received after the registration | |
| client_secret | The client secret you received after the registration | |
| code | The authorization code returned by the authorization server before to complete | |
| grant_type | The grant type for this flow is authorization_code | always authorization_code |
| redirect_uri | Must be identical to the redirect URI provided in the original link |
E
The Authorization server returns the access token. The token is issued as a signed JWT token containing multiple claims which contain the country of the customer, the appliance serial numbers that have been granted access to.
F
The client application has to use the access_token for all subsequent API calls
| KEY | EXPLANATION | COMMENT |
|---|---|---|
| access_token | The access_code for the every single API call |
G
The Resource Server returns the requested resources