Xiaomi and Mijia robot vacuum cleaners require a dedicated access token to integrate with alternative applications (such as Home Assistant), create automation or remote control via a mobile app. API. This unique 32-character key connects the device to your Mi Account and allows for secure data exchange, but the manufacturer does not provide the token in plain form - it must be extracted independently.
In this article, we will analyze all the current methods of obtaining a token for vacuum cleaners Xiaomi Mi Robot, Viomi, Dreame and other models on the Mi Home platform, including bypassing the new restrictions of 2023-2026. You will learn how to do this through the official application, using Python scripts, as well as alternative ways for devices with firmware. CN (We will pay special attention to the risks of blocking an account in case of incorrect actions and how to avoid them.
What is Xiaomi vacuum cleaner token and why you need it
The token (or MIoT Token) is a unique session identifier that is generated by Xiaomi servers when you log in to the Mi Home ecosystem.It consists of 32 characters (digits and Latin letters) and is valid as long as:
- π You will not reset the device to factory settings;
- π Do not remove the vacuum cleaner from your Mi Home account;
- π« Do not change your account region (for example, with the CN on RU).
Without a token, it is impossible:
- π± Connect the vacuum cleaner to Home Assistant, ioBroker or other smart home systems;
- π€ Use informal applications (e.g. Valetudo for cloud-free firmware);
- π Get data about the cleaning card, battery status or errors through API;
- βοΈ Set up automation on schedule without an official application.
It is important to understand that the token is tied to a specific device and account, if you sell a vacuum cleaner, the new owner must receive his token after the dump. 2023 The old methods of extracting a token through mitmproxy for devices with firmware have ceased to work EU/RU.
β οΈ Warning: Donβt give your token to third parties! This is equivalent to transferring your username and password from your Mi Home account, as the token allows you to manage all devices in your ecosystem.
Method 1: Receiving a token through the official Mi Home app (for firmware) EU/RU)
This is the easiest and safest method that works for most models of vacuum cleaners Xiaomi with firmware for Europe or Russia (EU/RU). You will not need technical skills or additional software.
Instructions:
- Open the Mi Home app and go to the Profile tab β Settings β General settings β About the programme.
- Click 5-7 times in a row on the app version (e.g. 6.5.410) until the wording Developer Mode is enabled appears.
- Go back to the main menu and select your vacuum cleaner. Go to your device settings β General. β About the device.
- Slip 5 times on the model of the vacuum cleaner (for example, Mi Robot Vacuum-Mop 2 Lite).
If the token window does not appear:
- π± Update the Mi Home app to the latest version.
- π Check that the account region coincides with the vacuum cleaner firmware region (EU Europe, RU for Russia);
- π Restart the vacuum cleaner (press the power button for 10 seconds).
Update the Mi Home app to the latest version
Check the region of the account (should match the vacuum cleaner firmware)
Enable the developer mode (stamp according to the application version)
Reboot the vacuum cleaner before extracting the token-->
β οΈ Note: On some models (e.g. Xiaomi Mi Robot Vacuum-Mop 2 Pro), this method may not work due to the updated firmware.
Method 2: Extracting a token through a packet sniffer (for Android)
If the previous method did not work, you can intercept the token when exchanging data between the Mi Home application and Xiaomi servers, which requires an Android smartphone with root rights or the ability to install a user certificate.
Step-by-step:
- Install the Packet Capture app on your smartphone or HTTP Toolkit.
- In Wi-Fi settings, connect to the same network as the vacuum cleaner and set up the proxy server on the IP Your PC (if you use it) HTTP Toolkit).
- Start the sniffer and start recording traffic.
- Open Mi Home and perform any action with the vacuum cleaner (such as running a cleaner).
- In the sniffer logs, search for a request to the domain api.io.mi.com or miot-spec.org. The token will be in the ssecurity setting or in the header x-xiaomi-protocal-flag-clients.
An example of what a token might look like in traffic:
{
"request": {
"path":"/home/rpc/MiRobotVacuum_v2",
"header": {
"x-xiaomi-protocal-flag-clients":"app/phone/63e4a1b2f7d89c012e54f8a9"
}
}
}Where 63e4a1b2f7d89c012e54f8a9 β This is a token (in reality, it is longer).
What to do if the token is not found in traffic?
| Method | Difficulty | Root is required. | It works for firmware. |
|---|---|---|---|
| Through Mi Home (taps) | β | β No. | EU/RU |
| Sniffing traffic | βββ | β Yes, or certificate) | EU/RU/CN |
| Python-script | ββ | β No. | Anybody. |
| Through Valetudo (firmware) | ββββ | β No. | Only for devices with Valetudo |
Method 3: Automatic token acquisition using Python script
For firmware devices CN (China) or if previous methods have failed, you can use a Python script that emulates authorization to Mi Home and extracts the token.
Instructions:
- Install Python 3.8+ on your PC (download).
- Download the miio script or use this simplified version:
pip install python-miio
miio --discover
miio --ip <IP_ vacuum cleaner> --token < your token> infoIf the token is unknown, use this script to extract it:
from miio import ChuangmiPlug, Vacuum
import click
@click.command
@click.option('--ip', prompt='IP-address of the device', help='IP of the vacuum')
@click.option('--username', prompt='Mi username', help='Xiaomi account username')
@click.option('--password', prompt='Mi password', hide_input=True, help='Xiaomi account password')
def main(ip, username, password):
vacuum = Vacuum(ip, token=None)
vacuum.auth(username, password)
print(f"Token: {vacuum.token}")
if __name__ =='__main__':
mainSave the code to the file get_token.py and launch the team:
python get_token.py --ip 192.168.1.100 --username your email@mail.ru --password your passwordWhere 192.168.1.100 is IP-address of your vacuum cleaner on the local network (can be found on the router or through the Fing application).
π‘
If the script is running MiHome server error returned: -9003, This means that your account is blocked for too many requests. 24 For an hour or use another account.
β οΈ Note: Do not use this method more than 1 time per day for one account. Xiaomi may block access to the account API brute force-suspected.
Method 4: Alternative methods for firmware devices CN
Chinese firmware vacuum cleaners (CN) They often require additional actions to extract the token:
Method A: Using the Mi Home app (Chinese version)
1. Install the Chinese version of Mi Home (download here).
2. Register a new account with a Chinese phone number (you can use a virtual number).
3. Connect the vacuum cleaner to this account and use Method 1 (taps according to version).
Method B: Using Cloud Tokens Extractor
Use the Cloud Tokens Extractor web service:
- Sign in through your Mi Home account.
- Select a vacuum cleaner from the list of devices.
- Copy the token from the Token field.
This method works for most devices, but requires that you give your account access to a third-party service, and use it at your own risk.
Through taps in Mi Home (Method 1)
Sniffing traffic (Method 2)
Python script (Method 3)
Cloud Tokens Extractor (Method 4)
Another method-->
Problems and Solutions: What to Do When a Token Fails to Work
Sometimes the token that you get may not work or may not work, and the problems and solutions are:
| Problem. | Possible cause | Decision |
|---|---|---|
| The token consists of one zero (0000...) | Retrieval error or device not tied to account | Repeat the procedure or reconnect the vacuum cleaner to Mi Home |
| Invalid token error when using | Token is obsolete or discarded | Get a new token or reboot the vacuum cleaner |
| The token works, but access to API limited | Firmware device CN, The account is not Chinese. | Change your account region to CN Use the Chinese version of Mi Home |
| Account blocked after token extraction | Too frequent requests for APIs | Wait 24 hours or contact Xiaomi for support |
If the token stopped working after updating the vacuum cleaner firmware, try:
- Reset the vacuum cleaner to factory settings (press the power button for 20 seconds).
- Delete the device from your Mi Home account and reconnect.
- Get a new token by one of the described methods.
π‘
If the vacuum cleaner has stopped responding to commands through API, But it's in the official app, and most likely Xiaomi has updated the authorization protocol, and in this case, it's only going to help to reconnect the device to the account.
Safety: How not to lose access to the vacuum cleaner
Working with tokens and API Xiaomi demands caution. Here are the key safety rules:
- π Never share a token in an open source forum, GitHub, which gives you full access to your vacuum cleaner and other devices in Mi Home.
- π± Use two-factor authentication in your Xiaomi account.
- π Regularly (every 3-6 months) update the token, especially if you notice suspicious activity.
- π« Do not use the token on unverified services (for example, cloud integrations from obscure developers).
If you suspect that your token has been compromised:
- Change your password from your Mi Home account immediately.
- Remove the vacuum cleaner from your account and connect it again.
- Get a new token and update it in all integrations.
For additional protection, access to the vacuum cleaner can be limited by IP. For example, in Home Assistant, set up a rule to API-The requests came only from the local network:
vacuum:
- platform: xiaomi_miio
host: 192.168.1.100
token: YOUR_TOKEN
name:"Xiaomi Vacuum"
allow_unreachable: false