OAuth2 Authorization Code Flow

Could someone help me to figure out the endpoints for Authorization Code Flow. What I want is following endpoints:

Authorization URL
Client ID
Redirect URL
Authorization Grant Type: Authorization Code Grant
Access Token URI
Client Secret
Client Authentication Scheme

What I was trying to do is create a Alexa Smart Home Skill work which works with Particle Photon. For this Amazon Alexa Skill Kit needs OAuth2 server which supports Authorization Code Flow. The project is complete and is working fine with Login with Amazon. I am able to control lights using Alexa Smart Home Skill Kit. What I was looking for is to use Particle login and retrieve access token and device id. Since Particle IFTTT channel supports OAuth2, it should work for Amazon also.

Probably @harrisonhjones or othes could help me to figure it out.

lets ping @jeiden and @bryce for this one.

1 Like

Aleady pinged @jeiden and suggested to talk to @harrisonhjones since he worked on Alexa :smile:

Hey @krvarma,

I have indeed already done this before. Let me dredge up my old settings… ok, must be archived. It’ll have to wait till tomorrow. Let’s see if I can help the old fashioned way.


  1. See https://docs.particle.io/reference/api/#create-an-oauth-client and grab your client ID and secret
  2. Fill out the Amazon Connected Home Skill page. Required info:

Let me know how that goes for you :slight_smile:


Thank you @harrisonhjones, @jeiden and @Dave for the help. It works like a charm :smile:.

I will post my project tomorrow, preparing the write-up now :smile:



can you please explain me how to create privacy policy url?

That’s a job for Google my friend. Generate one, host it somewhere (perhaps an S3 bucket), and then you can update your skill with the link.

Just wanted to add for anyone else who pulls this up - things have changed a little bit on Alexa’s side since this post was made and I wanted to make sure any common errors are covered:

  • Client type type=app
  • Provide the redirect_uri=https://pitangui.amazon.com/api/skill/link/XXX
  • Scope in the amazon UI - (Can be anything - profile works)
  • Make sure you create your Lambda endpoint (ARN) and save that at the same time - otherwise you get a very cryptic error.

The redirect URI is provided in Alexa’s GUI:

  • Pitandgui - North America
  • Layla - Europe

Hi @sean9keenan
I’ve done the set up accorind to your update but I keep getting “code 400”. Please help! :smiley:

Where do you get the 400 error? Can you post a screenshot? If it contains private information please IM me.

@harrisonhjones, I’m getting a 400 error in my Alexa app when I try to Enable the skill I built. I’m still a bit confused about how to configure the Alexa skill. I’m using my Particle IDE username for the Client ID. Is that correct? For the Client Secret, I’m using the Access Token for the IDE. Again, is that correct?

I’m sure this is all obvious to you folks, but I’ve wasted lots of time trying to get my Alexa skill to work. The Particle documentation on Oauth is just not detailed enough for me.

Thanks for any guidance.

You need to generate OAuth client Ids and secrets to get this to work. I’m not sure why that information is missing from the docs. You can find it here. Let me know if you have any trouble

Note: When you create your client Id and secret make sure you use the web type


I’m also trying to build an Alexa skill that interfaces with a user’s own Particle account, and I’m a bit stumped on one aspect of the instructions provided here and on the web site. Ultimately, the goal is to allow the user to get an access token to his/her Particle account, so that my Alexa skill can inspect their devices.

The part I’m confused about is why I am creating an oauth client using my access token for this whole process and loading that up into my Alexa skill. Does that mean the access token they create is somehow tied to my Particle account? I.e. will they have access to my devices? I don’t understand the relationship between my oauth client (associate with my account) and the customer’s own access token they are generating for their account.

Or can my oauth client request an access token for any other Particle account so long as it has their username and password?

Thanks for the help!

@harrisonhjones I’m also attempting to integrate Alexa and am having trouble with the OAuth authentication. Your previous posts are very helpful, and I worked through the ‘400’ error problem by changing my client to web type and adding the redirect url.

Now when I attempt to enable my skill in the Alexa web page I’m passed through to the Particle login page and get asked by Particle to authorize the requested access. I click ‘OK’ and am taken to an Alexa page that indicates the linking was unsuccessful.

I’ve turned on browser logging but can’t see what is going wrong. Items of note:

Any ideas on how to debug this error? Are the details in the ‘code’ parameter of the redirect?

having the exact same issue

Unfortunately I don’t frequent these forums anymore (my day job is consuming my entire life) but I’m happy to help when I can. From your list of urls my guess is the last step, where Amazon requests an OAuth token and refresh token, is failing. This usually occurs because of a incorrect access token URI. What URI do you have set in your Alexa app?

@developer what an interesting error. From the response that looks like a Particle response and not an Amazon response. Can you provide screenshots of the entire flow till the error? Are you viewing the page in a webview?

I’ve been trying to gather more information but still no luck even after many different attempts at creating lambda functions and skills. The access token URI I set is from your doc, https://api.particle.io/oauth/token

As far as I can see Particle is correctly generating a code and returning it to Amazon’s pitangui server, along with the ‘state’ variable. Amazon must then be requesting a token from the URI I supply as I can see one has been created with my client_id in Particle if I list v1/access_tokens. I get a new one every time I attempt to link the accounts.

I’ve attempted to use the returned ‘code’ in a POST to see if I can find any error detail. I posted the following:

curl -d “grant_type=authorization_code&client_id=alexa-1185&client_secret=xxx &redirect_uri=https%3A%2F%2Fpitangui.amazon.com%2Fapi%2Fskill%2Flink%XXXXXX &code=XXXXX”
-X POST https://api.particle.io/oauth/token

{“error”:“invalid_client”,“error_description”:“The grant type is unauthorised for this client_id”}

I suspect that the code can’t be used again once a token is issued, but perhaps this error is meaningful? Just to confirm, I created the Particle client as type web with the same redirect URI as appears in the requests:

Thanks for any help or suggestions!

Quick update: turns out changing the Alexa skill to V2 (legacy) instead of V3 (preferred) allow the account linking to proceed. There must be some additional required function that is missing from my sample code. Unfortunate the error was so cryptic - the oauth was working fine the whole time.

I’ll continue to work on a V3 version and post a sample if I ever get it to work.

Yes i am able to see in webview inside amazon skills app. when i try to enable skill by account linking

I’ve been using Particle.io oauth with both an Alexa smart home skill as well as a custom skill. The custom skill is posted on Github.

I recently posted a step-by-step article on my website about creating an Alexa custom skill using particle.io oauth to publish events to your devices. It’s very detailed, and a long read, but hopefully it will help folks figure out which steps they’re not doing, or doing incorrectly.

Unfortunately the Amazon stuff changes, and it gets pretty hard to figure out if you’re working with outdated information. I know the steps I list work as of today 11/26/17.