Integrating smart devices into a single ecosystem is the standard of living, but standard applications often limit functionality, such as for fully operating a robot vacuum cleaner through smart home systems such as Home Assistant, or for using advanced home systems. CLI-You need a unique access key, and that key is called a token, and without it, advanced configuration is impossible.
Getting a token is the first and most important step for those looking to make the most of their Xiaomi Mi Robot Vacuum or Roborock.The process may seem daunting for a beginner, but there are proven methods running on Android and iOS.We'll look at current ways for 2026 that allow you to extract the access key without unnecessary hassle.
Itβs important to understand that a token is not a password from your account, but a specific session ID for a particular device, and if you plan to automate cleaning, run a vacuum cleaner via local servers, or get detailed statistics from Grafana, this information will become the foundation of your system.
Why do you need a token and where to look for it?
The token is a 32-character hexadecimal string that is used to authorize commands between your local server or script and the device itself. The MiIO protocol, which is the basis for Xiaomi devicesβ communication, requires this string to be encrypted and validated, and without it, any attempts to send a command other than the basic ones will be rejected by the cloud or the robot itself.
Regular users find this key in the logs of the official application, but modern versions of Mi Home and Xiaomi Home (especially with server Europe or Russia) hide this information. Developers specifically restrict access to tokens for security reasons, which makes them look for workarounds.
π‘
If you are using Mi Cloud server in China, it is easiest to get the token through browser plugins, as encryption there is often weaker than on European servers.
There are several basic methods of mining a token: using modified versions of Android apps, snipping traffic through an emulator, or using browser plugins when logging in via a web interface. The choice of method depends on your operating system and your willingness to technical manipulation.
The way for Android: Modified applications
The easiest and most reliable way for Android smartphone owners is to use a modified version of the Mi Home app. These versions (often called Vevs Mod or similar) have a built-in logging feature that automatically saves the tokens of all connected devices to a text file.
You don't have to be a programmer to use this method. APK-a verified modification file, install it on top of the official version (or in parallel, if the system allows) and log in. Once connected to the vacuum cleaner, the token will be stored in the device memory.
- π± Download the latest version of the modified Mi Home app from a trusted source (official forum) 4PDA or GitHub).
- π Sign in to your Xiaomi account and wait for full sync to your device list.
- π Open the file manager and follow the path specified in the mod settings (usually a folder). /mi_home_log/ or similar).
- π Find a file with the device name or IP-Address and copy the 32-character string.
βοΈ Verification before receiving the token
Please note that after updating the main Mi Home app, the modified version may not work properly, in which case you should wait for the new version of the mod to come out.
Method for iOS: Emulation and Sniffing
iPhone and iPad owners will have to resort to more sophisticated methods, as installing modified apps on iOS without jailbreaking is impossible.The most workable option in 2026 is to use an Android emulator on a computer or sniff traffic through a proxy server.
The method is to pass traffic between the Mi Home app and Xiaomi servers through your computer, to do this, install an Android emulator (for example, BlueStacks or Nox), put an official application into it, and network traffic is routed through a sniffer (for example, mitmproxy or Charles Proxy).
β οΈ Attention: For sniffering work SSL-You'll need to install a root certificate on the emulator, and be careful, this certificate gives you full access to decrypting your traffic, so only use it on test devices.
Once you set up the proxy and install the certificate, run the app in the emulator, log in to your account and open vacuum control. You'll see a lot of queries in the sniffer logs. POST-domains such as api.io.mi.com or api-de01.io.mi.com. The body of the request or response often contains a token field.
What to do if the traffic is encrypted?
Use of plugins for the browser
If you donβt want to mess with emulators or modified APKs, you can try to get a token through the web version of your Xiaomi account, which doesnβt work for all regions, but it does work for servers in China and sometimes Europe.
Youβll need a browser (Chrome or Firefox) with an installed extension to intercept requests, or a specialized plugin to work with Xiaomi. One popular option is to use extensions that are embedded in the authorization page and pull tokens from localStorage or cookies after successful login.
| Method | Difficulty | I need a PC. | The risk of blocking |
|---|---|---|---|
| Mod APK (Android) | Low. | No. | Low. |
| Sniffing (iOS/PC) | Tall. | Yes. | Medium. |
| Web plugin | Medium | Yes. | Low. |
| Receiving through ADB | Tall. | Yes. | Low. |
When using plugins, carefully read the permissions they request. A good plugin to get a token should not require access to your personal photos or contacts.
Receiving a token through ADB (for advanced)
For users who arenβt afraid of the command line, there is a method of getting the token directly through USB debugging (ADB), which requires that your Android device be enabled to debug over USB, and the Mi Home app is installed and authorized.
The essence of the method is to upload the data of the application, where the tokens are stored in encrypted or open form. With the adb backup command, you can back up the application data and then unpack it on your computer. However, starting with Android 10 and up, this method is limited, and a full backup of data is difficult to do.
adb shell pm list packages | grep mihome
adb pull /data/data/com.xiaomi.smarthome/files/miio_devices.dbIf you have root rights, it's a lot easier. You can directly open the SQLite database that the app stores, and you can find a table with the devices, and you'll have a token in the open next to the table. MAC-address.
β οΈ Note: Removing files from the system partition requires root access. Incorrect actions with access rights can lead to unstable smartphone operation or data loss.
Verification and use of the token
Once you have a 32-character string, you have to check it. The token should not contain characters other than numbers and letters from A to F. If there are other characters in the string or its length is different, then you copied something else.
You can use miio, part of the Python-miio project, to test it, and install it on pip, and try to send a command to get the device status, and if the command is successful and you get a response from the vacuum cleaner, then the token is right.
- π Make sure there are no extra gaps in the token at the beginning or end of the line.
- π‘ Check that the device and server you are sending the request from are on the same network (if you use local mode).
- π If the token stopped working, the device may have changed IP or the session key has been reset - the procedure will have to be repeated.
π‘
The token is valid until you reset the device or change the password of your Xiaomi account.In rare cases, the cloud can update the token forcibly.
Frequent problems with key extraction
A common problem is the βinvalid tokenβ error when trying to integrate. This can mean that you copied the token from another device. In the Mi Home application logs, tokens are listed, and it is important not to confuse the line corresponding to the light bulb with the Xiaomi Vacuum Mop token.
Another challenge is the regional restrictions: if your account is registered in Russia, and you are trying to use methods for a Chinese server, it will not work, and make sure that the chosen method of obtaining the token is compatible with the region of your account.
Itβs also worth considering that some new vacuum cleaners (especially those released after 2026) may use an updated encryption protocol, in which case old sniffering techniques may not work and will have to wait for community tools to update.