Xiaomi Vacuum Mop Essential (model) STYJ02YM) requires access tokens to integrate with third-party smart home systems such as Home Assistant, Node-RED or ioBroker.Without this unique identifier, you wonβt be able to control the device through a device. API, Configure automation or use advanced features outside the official Mi Home app.
The problem is that Xiaomi doesnβt provide the token openly β it needs to be extracted independently. In this article, weβll look at 5 proven ways to get the token, including official and alternative methods, as well as solving common errors (for example, Invalid token or Device found not).
1 What is Xiaomi Token and Why is it Needed
Token (or) API-Key is a unique 32-character string that serves as a password for interacting with a device through the Xiaomi cloud. It is tied to a specific account and device, so the token from one vacuum cleaner will not be suitable for another, even if the models are identical.
Without a token, you can't:
- π Connect the vacuum cleaner to Home Assistant or other automation systems;
- π Get the cleaning status data (battery charge, covered area, errors);
- π€ Manage your device through voice assistants (Alice, Google Assistant);
- π Set up complex scenarios (e.g., running a house cleaning when you are not home).
Important: the token is valid only as long as the device is tied to your Mi Home account. When you dump the vacuum cleaner or change your account, the token will become invalid.
π‘
If you plan to use the token in Home Assistant, immediately save it in a safe place (for example, in the password manager).
2. Method 1: Receiving a token through Mi Home (official method)
The most reliable way is to extract the token from the Mi Home app traffic.
- π± Smartphone with Mi Home installed (version no lower than 6.0.100);
- π₯οΈ Computer with a traffic interceptor program (Fiddler, Charles, or HTTP Toolkit);
- π Xiaomi Vacuum Mop Essential Vacuum Buses Linked to Account.
Step-by-step:
- Install the HTTP Toolkit on your computer (download here) and run the program.
- On your smartphone, connect to the same Wi-Fi network as your computer. In your Wi-Fi settings, specify the proxy server (IP of your PC and port 8080).
- Open Mi Home, log in and go to the vacuum cleaner management page. In the HTTP Toolkit, start recording traffic.
- In the app, update the device status (pull the screen down). In the HTTP Toolkit logs, search for a request to the domain api.io.mi.com with the path /api/user/getdevicelist.
- The server's response will be JSON-Find your model vacuum cleaner in it": "roborock.vacuum.m1s" (for Vacuum Mop Essential and copy the value of "token".
Example of server response (token highlighted):
{
"list": [
{
"did": "123456789",
"token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"model": "roborock.vacuum.m1s",
"name": "Xiaomi Vacuum Mop Essential"
}
]
}Make sure the vacuum cleaner is connected to Wi-Fi|Turn it off. VPN smartphone|Update the Mi Home app to the latest version|Check that the device is not in "Do Not Disturb" mode"-->
3. Method 2: Use of alternative applications
If it seems difficult to intercept traffic, you can use third-party utilities that automate the process.
- π§ Mi Token Extractor (Android) β extracts tokens from the Mi Home cache;
- π Xiaomi Cloud Tokens Extractor (iOS, jailbreak required);
- π» Python-script miio-cli (for advanced users).
Letβs look at the Mi Token Extractor:
- Download. APK-GitHub file (check the versionβs relevance!).
- Install the app on Android (allow installation from unknown sources).
- Sign in to Mi Home and open Mi Token Extractor.
- Click Get Tokens β the program will show a list of devices with tokens.
β οΈ Warning: Some antiviruses block Mi Token Extractor as "potentially dangerous software." This is a false positive, but download APK Only from the official developer repository.
| Annex | Platform | Needs root/jailbreak? | Difficulty |
|---|---|---|---|
| Mi Token Extractor | Android | No. | ββ |
| Xiaomi Cloud Tokens Extractor | iOS | Yeah (jailbreak) | βββ |
| miio-cli (Python) | Windows/Linux/Mac | No. | ββββ |
Home Assistant|ioBroker|Node-RED|Alice's home assistant|Another.|I don't use it.-->
Method 3: Manual query via API (for technical users)
If you are familiar with Python or Postman, you can get a token through a direct request to the Xiaomi API.
- Install the python-miio library: pip install python-miio
- Sign in to Xiaomi account via the script: from miio import ChangelogLibre user = "your email@mail.com" password = "your password" libre = ChangelogLibre() libre.login(user, password)
- Get a list of devices: devices = libre.get_devices() for device in devices: if device["model"] == "roborock.vacuum.m1s": print(f"Token: {device['token']}")
β οΈ Warning: Keep the password script secure. After receiving the token, remove the login and password from the code to avoid data leakage.
The alternative is to use Postman:
- Create. POST-request https://account.xiaomi.com/pass/serviceLoginAuth2;
- In the request body, specify:
{
"clientId": "2882303761517432307",
"password": "your password,"
"serviceToken": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"user": "your email@mail.com"
}What to do if the API returns the error "Invalid credentials"
5. Method 4: Removing the token from the Mi Home backup
If you have a backup of Mi Home data (e.g., created via Titanium Backup or iMazing), the token can be extracted from it:
- Backup the Mi Home app (root rights required for Android).
- Open the backup file in a text editor (e.g. Notepad++).
- Find the token line, and there will be a 32-character key next to it.
Example of a backup fragment:
<map>
<string name="did">123456789</string>
<string name="token">a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6</string>
<string name="model">roborock.vacuum.m1s</string>
</map>β οΈ Note: Backups may contain outdated tokens. Once extracted, check the operability of the key through a test request to the API.
6. Method 5: Requesting a token through Xiaomi support (official channel)
In rare cases, the token can be obtained through Xiaomiβs support service, but this will require:
- π Check for the purchase of a vacuum cleaner (or warranty card);
- π Serial number of the device (S/N vacuum-hole);
- π§ Email linked to Mi Home account.
Instructions:
- Write to Xiaomi Support Chat (via Mi Home or support.xiaomi.com).
- Specify the reason for the request: βWe need a token to integrate with the smart home system.β
- Attach a photo of the check and serial number.
- Wait for a response (usually 1-3 days).
πΉ Important: Support doesn't always go hand in hand, especially if the device is unofficially purchased, and 80 percent of the time, you're going to be rejected, citing "security policyΒ».
π‘
Requesting a token through support is the longest and most unreliable way, and only use it if other methods have failed.
7.Typical errors and their solutions
When working with a token, users often face problems. Let's consider the most common:
| Mistake. | Reason. | Decision |
|---|---|---|
| Invalid token | Token is obsolete or incorrect | Get a new token or check the correctness of the input |
| Device not found | Vacuum cleaner not tied to account | Re-connect the device to Mi Home |
| Permission denied | Not enough rights. | Check the server region (should match the account region) |
| Network error | Internet problems | Disable VPN, check the connection |
If the vacuum cleaner does not respond to commands via the API, check:
- Make sure the device is on and connected to Wi-Fi.
- Check if the firewall blocks outgoing connections.
- Update the vacuum cleaner to the latest version.
How to check the performance of the token
8 Security: How to Protect Your Token
The token gives you complete control of your vacuum cleaner, and if it falls into the wrong hands, the attacker can:
- π΅οΈ Track your location (by cleaning card);
- π Turn on the vacuum cleaner at night or in your absence;
- πΈ Get data from the camera (if the model supports video surveillance).
Safety regulations:
- π Donβt give the token to anyone, even for the testΒ».
- π Change your password from your Mi Home account regularly.
- π‘οΈ Set up two-factor authentication.
- ποΈ Remove the token from the project code before publishing on GitHub.
If the token is compromised:
- Untie the vacuum cleaner from your Mi Home account immediately.
- Reset the device to factory settings (button) RESET 5 seconds).
- Generate a new token.
π‘
Never store a token in the public domain (Google Docs, Dropbox) or in public repositories. Use password managers (KeePass, 1Password) to store it.