Joshua's Cheatsheets - TP-Link Cloud, Kasa, TP-Link Smart Products - Dev Cheatsheet

KASA vs TP-Link Cloud

Assuming you allow for non-local use, TP-Link Cloud is basically what bridges the connection between your local network and the "cloud", and seems to be what maintains the mesh of devices and their API communications.

Kasa is mostly just an App, and some branding for TP-Link smart devices, and mostly does just two things:

  • Allows you to manage the TP-Link cloud and register new devices
  • Provides a GUI for turning things off and on

Official Integrations

At the time of researching, it was hard to find one spot for this info, but it appears that the official integrations are:

Unofficial Integrations


Notes on usage

  • Token sending options

    • It looks like the auth token can be sent either in the URL itself or in the JSON body

      • URL: ___/?token=TOKEN
      • Body: {params: {token: TOKEN}
    • For security reasons, you should pretty much always opt to send tokens as part of a payload, rather than in the URL, so they can't be sniffed (assuming valid HTTPS)
  • terminalUUID / UUID

    • This does not need to be a specific ID, nor does it need to be generated as a unique ID each time.
    • If you are using POSTMAN to mock, you can use the {{$guid}} macro to generate a unique ID
  • What is the purpose of Kasa_Android as appType and the User-Agent header?

    • Most of the API docs available by the community rely on endpoints exposed by reverse-engineering the Kasa smartphone app. At any point, TP-Link could start cracking down on suspicious API requests, so "spoofing" the official Kasa app is a way to minimize the risk of your request getting blocked.
    • Based on tplink-cloud-api, here are good values:

      • appType: Kasa_Android
      • User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; A0001 Build/M4B30X) (really, this could be any modern valid Android UA that Kasa can run on)

Android Client

  • I've pulled a recent AndroidManifest.xml - here

    • I tried to spoof a related intent to the On/Off widget but could not get it to work (I think some of the Android action strings might be blocked from spoofing?)
Markdown Source Last Updated:
Mon Jan 06 2020 01:08:03 GMT+0000 (Coordinated Universal Time)
Markdown Source Created:
Thu Jan 02 2020 02:27:51 GMT+0000 (Coordinated Universal Time)
© 2020 Joshua Tzucker, Built with Gatsby