Bad return code: Unauthorized

I opened a case with Liftmaster and I got a generic response back that they are behind in responding and asked if I still had an issue. I inquired about what that error message means and why it is not listed. For all that have this issue, you might try the same to see if we can get what is happening.

What are you going to tell them when they ask WHERE you're seeing that error? You can't tell them that it's an Indigo plugin, because this plugin uses a reverse engineered API that is in no way authorized by Liftmaster.

Hi-

I'm also getting the error. My iPhone app works fine with my login, on the same network as Indigo. In the past if I've exceeded my limit of requests, Liftmaster would ban me for a period of time. This doesn't seem to be the case.

I'm using Liftmaster in the options of the plugin.

Mike

Yea I suspect they changed the API. I noticed mine stopped working a couple days ago and I noticed the myQ app on my phone was also updated recently. I doubt that is a coincidence.

From 1200 miles apart the MyQ site returns the same address. So there only appears to be one active hosting location. If they were making changes, I do not know how they would be rolling it out in such a way that it would impact some users and not others. If different addresses were returned, that would make sense.

Doesn't need different addresses. The initial authentication step is still working. It's the next API call to get the list of devices that's failing. If they're rolling out a new API, they can flag each account to only use the new API as soon as they detect that you're using a newer version of the mobile app that can do so.

I'm using iOS version 3.93.3 which is only a week old. But not having the issue either.

So it's not an iOS vs Android thing. It also doesn't appear to be new app or not. Is your MyQ linked with say a Nest?

No. Nothing linked, no other devices (like lights). Just two door openers.

Not sure if this will help. I am getting the error. The garage door opener we bought had the myQ built in. We did not buy the add on kit.

I agree with FlyingDiver. The iOS and Android official apps shouldn't have a problem. What they do is they update their apps and publish them (say back in August) which support both new and old APIs. Then later they start updating the back end servers by which time most people have updated their apps and it functions normally. They just recently did this, as of Nov 20-ish. This is when I ran into problems, and confirmed with my unit tests.

I'm using custom code that I wrote based off of various sources. The first part to use the API is to connect/authenticate to get a security token. That token is then used for all subsequent calls (get devices, open door, close door, etc...). The authentication is still successful and the token is valid.; however, the other calls no longer work. The web service is still good as well ("https://myqexternal.myqdevice.com/api/v4/userdevicedetails/get") which results in a 200 status code. The data that it returns contains the error.

JsonResponse = "StatusCode: OK, Content-Type: application/json; charset=utf-8, Content-Length: 111)"

JsonResponse Data = {"ReturnCode":"216","ErrorMessage":"Unauthorized (216)","CorrelationId":"d3b51e2e-57c9-4bfc-8caa-064336c0cb10"}

Hence the 'unauthorized'. I suspect they changed the something in the headers and are requiring more information than just app id and security token. I've tried using fiddler to find out the calls they make from the android app but they've implemented certificate pinning and the app won't work when trying to decrypt communications.

[jay (support)]

Just checked - my luck has also run out.

I knew when I bought this garage door opener that I shouldn't have...

Hence the 'unauthorized'. I suspect they changed the something in the headers and are requiring more information than just app id and security token. I've tried using fiddler to find out the calls they make from the android app but they've implemented certificate pinning and the app won't work when trying to decrypt communications.

Why not use the regular browser based site and use Fiddler?

Not a bad idea. When SSL pinning was a problem while I built the August plugin, I used a decompiler on the Android app to reverse the API. A web version might be easiest to figure out what has changed. Let me know if I can help.

Whoops sry vtmikel. I meant to post here and sent it private, lol.

I've tried the website already. The problem with chamberlin (and maybe liftmaster) is that they are using a frontend to communicate with the backend. The myQ app on android talks directly to myqexternal.myqdevice.com. All of chamberlins website activity goes to mychamberlain.com. They probably have some proxy parsing and rewriting data. So I googled around and found a decompiler. They've obfuscated it a lot so it's going to take me a bit. I did find the appId though and it does appears to have been changed.

https://github.com/Einstein42/myq-garage/issues/22

That's the first report of this issue I've seen for any of the other Python implementations of the MyQ code.

As a followup to the error report in the previous post, I found a posting for the SmartThings interface with a possible fix.

Anyone who has this error should try this pre-release version: https://github.com/FlyingDiver/Indigo-M ... /tag/7.1.9

7.1.9 installed and working for now (initial status request was successful).

Thanks!

[jay (support)]

Bingo - opened, closed, status request all work.

Great job!!!

As a note, this is not uncommon: a lot of the APIs out there are starting to require authorization tokens (OAuth and others) to be present in the headers either as an option to the GET/POST or as a replacement. The Rachio API requires this. It's not a bad idea and goes a long way towards standardizing this kind of programmatic authentication/authorization IMO. Too bad they just didn't explicitly tell people about it...