Authorization Code Authorization Strategy

This strategy is an implementation of the OAuth 2.0 Authorization Code Grant Type It is ideal for any web based application where the end user is accessing your application through a browser. A series of HTTPs redirects are performed between your web server and the ecobee server which guide the user in authorizing your application in a secure manner.

Requesting the Authorization Code

In order to obtain an authorization code, the user's browser must be redirected to the ecobee servers where they will be guided in authorizing your application. To begin the process, redirect the user's browser to the following URL:


Request Parameters

Parameter Description
response_type This is always "code" for this authorization flow.
client_id This is the unique application key for your application.
scope This is the Scope the application requests from the user.
redirect_uri This is your designated server endpoint for receiving the authorization code and error messages. The URL is limited to 255 characters in total and cannot contain port numbers.
state OPTIONAL. This is a state string which you can use to uniquely identify this particular request. The state will be returned to you when the authorization code is sent to your server or an error occurs.

Note that the redirect uri you provide cannot contain port numbers as they are not supported.

After the request is made, the user will be directed to log into their ecobee portal and presented with a page which will detail your application and whether the user would like to accept or deny the authorization. The user's browser is then redirected back to the redirect_uri you specified in your original request. The state is also sent back, if included.

Accept Response

The accept response will be forwarded to your designated server endpoint URI.


Decline/Error Response

The decline response will be redirected to your designated server endpoint URI.


Now that you have the authorization code, you may use it to obtain access and refresh tokens from the server.

The authorization code has a life time of 10 minutes. Once received, your server should immediately use the authorization code to obtain access and refresh tokens. The tokens should be stored securely.

Requesting Tokens (Access & Refresh)

The application will need to request access and refresh tokens once the user has authorized the application within the ecobee Web Portal.


Request Parameters

Parameter Description
grant_type This is always "authorization_code" for this authorization flow.
code The authorization code obtained from the /authorize request.
redirect_uri This is your designated server endpoint which was sent in the original authorization code request. They MUST be identical.
client_id This is your unique application key.

A successful response will look like this:

	"access_token": "Rc7JE8P7XUgSCPogLOx2VLMfITqQQrjg",
	"token_type": "Bearer",
	"expires_in": 3599,
	"refresh_token": "og2Obost3ucRo1ofo0EDoslGltmFMe2g",
	"scope": "smartWrite" 

At this point, the application should store the access and refresh tokens in its secure local store. These tokens represent the credentials of the user and must be kept secure.

The token_type returned must be specified in the Authorization header when making API requests. See the "Access Token" section in Getting Started with Request and Response for information on setting the Authorization header.

After you have the tokens, you may now begin making API requests using the access token.

Error Handing

The following errors should be expected by your endpoint:

  • authorization_pending (HTTP 401)
  • authorization_expired (HTTP 401)
  • slow_down (HTTP 401)

Since HTTP error codes cannot be set on an HTTP client redirect, they will not be sent.

See Authorization Errors for complete descriptions and list.

Back To Top