How to find out the Xiaomi Vacuum Mop Pro token: 5 proven ways (2026)

Robot vacuum cleaner Xiaomi Vacuum Mop Pro (models) STYJ02YM, STYTJ01ZHM It requires an access token to integrate with third-party smart home systems, from Home Assistant to Node-RED. Without this unique code, you won’t be able to control the device through a single device. API, Automate scheduled cleaning or get battery status data, and the problem is that Xiaomi doesn't provide the token openly, and you have to extract it yourself.

In this article, we will analyze all the current ways to obtain a token for Vacuum Mop Pro – from the official method through Mi Home to bypassing restrictions using Python scripts and other tools. MITM-You will learn what tools you need, how to avoid blocking your account and what to do if the token suddenly stopped working, and the only legal way to get a token without risking losing the warranty (spoiler: it is associated with the official one). API Xiaomi Cloud).

1 What is Xiaomi Token and Why is it Needed

A token (or authentication token) is a unique 32-digit key that identifies your device in the Xiaomi ecosystem.It is generated by the company's servers when you first connect a vacuum cleaner to your Mi Account and is used to:

  • πŸ” Authentication of requests to API vacuum cleaners (e.g. start, pause commands, get_status).
  • πŸ“Š Reading telemetry: charge level, cleaning maps, sensor errors.
  • πŸ€– Integration with third-party systems (Home Assistant, ioBroker, OpenHab).
  • βš™οΈ Hidden settings not available in the standard Mi Home app.

Without a token, you're limited to the functionality of an official app, like:

  • πŸ“… Start cleaning on schedule with Google Assistant or Alice.
  • πŸ—ΊοΈ Export room maps for analysis in Python or QGIS.
  • ⚑ Increase suction power above the limits set by Xiaomi.

⚠️ Attention: The token is tied to a specific device and Mi Account. If you dump the vacuum cleaner to the factory settings or change the region of the account, the token will become invalid. API (For example, too frequent requests).

2.Official method: obtaining a token through Mi Home (without risks)

This is the only method that does not violate Xiaomi’s user agreement and does not require technical skills, but it only works for users in China or those who have tied the vacuum cleaner to a Chinese server (cn). If your account is registered in the ru, eu or us region, go to the method β„–3.

Step-by-step:

  1. Open the Mi Home app (version no lower than 6.5.400).
  2. Go to profile. β†’ Settings β†’ General settings β†’ Region and choose China.
  3. Add the vacuum cleaner to the app (if it is not already tied).
  4. Go to the device page. β†’ Settings (βš™οΈ) β†’ General. β†’ About the programme.
  5. Click 5 times in a row on the field with the firmware version. A hidden menu will appear.
  6. Select Get Token (may be called Token in Chinese).
  7. Copy the displayed code – this is your token.

If the Get Token item is missing, it means:

  • πŸ”Ή Your account is not linked to a Chinese server.
  • πŸ”Ή Mi Home is outdated (update via APKMirror).
  • πŸ”Ή Xiaomi has removed this feature for your vacuum cleaner model (relevant for devices released after 2023).
πŸ“Š What region does your Mi Account have?
China (cn)
Russia (ru)
Europe (eu)
United States (us)
Other

3. Alternative method: extraction of the token through MITM-attack (for advanced attack)

If the official method did not work, you can intercept the token using Man-in-the-Middle (MITM) This method requires Python, Wireshark or Fiddler skills, but it gives you 100% of the result, and the bottom line is that you swap Xiaomi servers for your PC and you listen to traffic between the Mi Home app and the cloud.

What you need:

  • πŸ’» Computer with Python 3.8+ and the mitmproxy library.
  • πŸ“± Android smartphone with root rights or the ability to install a user certificate.
  • 🌐 Local area network (vacuum cleaner and phone must be connected to the same Wi-Fi point).

Instructions:

  1. Install mitmproxy: pip install mitmproxy
  2. Launch a proxy server: mitmproxy --mode transparent --showhost
  3. On your smartphone, set up a proxy on IP Your PC and port 8080.
  4. Install the mitmproxy certificate on your phone (instruction: documentation).
  5. Open Mi Home and perform any action with the vacuum cleaner (such as running a cleaner).
  6. In the mitmproxy logs, search for a request to api.io.mi.com with the token option.

Example of successful interception:

GET /app/genToken?clientId=...&signature=...


Host: api.io.mi.com





Response: {"token":"a1b2c3d4e5f6...","expire": 1672531200}

⚠️ Xiaomi may block your account for suspicious activity if you send too many requests to the user API. Use this method only to extract the token, not to survey servers in a mass manner.The recommended interval between requests is at least 5 seconds.

What to do if MITM doesn't work?
If the traffic is not intercepted, check: 1. The phone is off. VPN 2. mitmproxy certificate is installed in trusted (on Android: Settings) β†’ Security β†’ Trusted certificates. 3. Traffic encryption is disabled in Mi Home (if there is such an option). 4. The vacuum cleaner and phone are connected to the same network (without separation into guest and main).

4.Use of Python scripts to automatically receive token

For users who don't want to mess with mitmproxy, there are pre-built Python scripts that automate the process. One of the most reliable is the miio-cli from the OpenMiHome community. It runs through the Xiaomi cloud and doesn't require root rights.

Installation and launch:

  1. Install miio-cli: pip install python-miio
  2. Sign in to Mi Account: Mio --discover --sync-cloud (Enter the login and password from your account).
  3. Get a list of devices: Mio devices
  4. Copy the token for the desired vacuum cleaner: miio inspect --ip [IP_vacuumer] --token [time-token]

Example of conclusion:

Device ID: 12345678


Model: roborock.vacuum.m1s (Xiaomi Vacuum Mop Pro)




Token: 6a5f4e3d2c1b0a9876543210fedcba98




Firmware: 3.5.9_1838

Advantages of the method:

  • βœ… No need to root or modify your phone.
  • βœ… It works for all regions (ru, eu, us).
  • βœ… Supports two-tier authentication (if enabled in your account).

Disadvantages:

  • ❌ Xiaomi can block the account with frequent requests.
  • ❌ Requires command line knowledge.

β˜‘οΈ Preparation for the script

Done: 0 / 5

5. Removing the token from the Mi Home backup (for Android)

If you have a backup of your Mi Home data (created through a ADB Backup or Titanium Backup, a token that can be extracted from it without connecting to a vacuum cleaner, is suitable if the device is broken or located elsewhere.

Instructions:

  1. Create a backup for Mi Home: Adb Backup -f mihome.ab -app com.xiaomi.smarthome
  2. Unpack the archive mihome.ab with Android Backup Extractor.
  3. Open the file. apps/com.xiaomi.smarthome/db/mihome.db In SQLite Browser.
  4. Follow the request: SELECT token FROM devices WHERE model LIKE'%vacuum%';

If the token is not in the database, try:

  • πŸ” Search in the account table (sometimes the token is stored there in encrypted form).
  • πŸ” Check the backup for files with the.pref extension (may contain the token in open form).

⚠️ Note: In the new Mi Home versions (after 2023), tokens are stored in encrypted form. To decrypt them, you will need a key that is generated dynamically every time you run the application. MITM-method.

6. Token verification and error elimination

Once you get a token, you need to check it for performance, use a Python script or online services like MIoT Spec. If the token doesn't work, the reasons may be as follows:

Mistake.Reason.Decision
Invalid tokenThe token is wrong or outdated.Get a new token by any of the methods described.
Device not foundThe vacuum cleaner is disconnected from Wi-Fi or tied to another account.Check the network connection and sync with Mi Home.
Region mismatchThe token is derived for another region (e.g., cn, and the vacuum cleaner is on eu).Change your account region or get a token for your current region.
Too many requestsXiaomi blocked from blocking IP for frequent requests.Wait 24 hours or use another one. IP (VPN).

To test the token manually, use Postman or cURL:

curl -X POST"http://[IP_ vacuum cleaner]/miIO.info""


-H"Content-Type: application/json" \




-d'{"id":1}' \




--user "token:[YOUR TOKEN"

If the answer contains β€œresult”:[miIO.version,...], the token is valid.

πŸ’‘

If the vacuum cleaner doesn't respond to commands, try rebooting it by holding the power button for 10 seconds. API.

7 Security: How not to lose your token and account

The token gives you complete control over your vacuum cleaner, so its leakage can lead to:

  • 🚫 Remote control of the device by attackers.
  • πŸ“ Theft of your home layout data (cleanup maps contain exact room sizes).
  • πŸ”’ Blocking Xiaomi account for suspicious activity.

Safety regulations:

  • πŸ” Store the token in a password manager (such as Bitwarden or KeePass).
  • 🌐 Do not transfer the token to third parties or public repositories (for example, in GitHub).
  • πŸ”„ Regularly (every 3-6 months) update the token through Mi Home.
  • πŸ›‘οΈ Use two-factor authentication in your Mi Account.

If you suspect that the token has been compromised:

  1. Untie the vacuum cleaner from your Mi Home account immediately.
  2. Change the password from the Mi Account.
  3. Get a new token by one of the methods described.

πŸ’‘

Never use the token on open networks (such as public Wi-Fi). To integrate with Home Assistant, set up a local network or VPN.

FAQ: Frequent questions about Xiaomi Vacuum Mop Pro tokens

❓ Can I get a token without root rights on my phone?
Yeah, that's fine: πŸ“Œ MITM-Proxy with user certificate installation (does not require root on Android 7)+). πŸ“Œ Python scripts (python-miio or miio-cli). πŸ“Œ The official method is via Mi Home (China region only). Root is only needed to intercept traffic on older versions of Android (up to 6.0).
❓ Why the token stopped working after the firmware update?
Xiaomi periodically updates authentication protocols. After major updates (e.g., 3.5.8 to 4.0.0), old tokens may become invalid. Solution: Get a new token with any of the methods described. Check the compatibility of your smart home system with the new firmware version. If the vacuum cleaner has stopped responding to commands, try resetting it to factory settings (hold the power button for 20 seconds).
❓ What is the validity period of the token?
Officially, the token has no expiration date, but Xiaomi may cancel it in the following cases: πŸ”„ Resetting the vacuum cleaner to factory settings. 🌍 Change of account region (cn) β†’ ru). πŸ”’ Suspicious activity (too frequent requests to the API). πŸ“¦ Update of vacuum cleaner firmware (rarely, but it does happen) It is recommended to update the token every 6 months.
❓ Can I use one token for several vacuum cleaners?
No. The token is tied to a specific device (by its Device). ID) If you have multiple vacuum cleaners, you need a token for each, except that if the vacuum cleaners of one model are tied to one account, you can try using a token from the first device for the second, but this will only work in 30% of cases (depending on the firmware version).
❓ Is it legal to use the token to integrate with Home Assistant?
No, not technically. Xiaomi is not allowing the use of API outside the official annexes (user agreement, paragraph 4.3: βœ… In practice, blocking for this is extremely rare (if you do not abuse requests). βœ… Home Assistant community has been using tokens for years without consequences. βœ… Xiaomi has not sued users for personal use API. The risks are minimal if you don’t distribute the token publicly and send more than 100 requests per hour.