Die Miele 3rd Party API supports the OAuth2 Authorization Code Grant Flow as shown in the simplified figure below.

The client application requests authorization to access the Miele 3rd Party API

Key Explanation Comment
client_id The client ID you received after the registration
response_type Indicates that your application expects to receive an authorization code
redirect_uri Indicates the URI to return the user to after authorization is complete
state A random string generated by your application, which you'll verify later optional

The user authorizes access with user name, password and the name of the Miele subsidiary with which his Miele account is registered. For this purpose, the authorisation server redirects the user to a special website. Here the user finally gives his explicit consent to use the API.

Key Explanation Comment
e-mail The e-mail address belonging to the Miele user account
password The corresponding password
country The Miele subsidiary the Miele user account belongs to

The Authorization server redirects to the client application and is passing the authorization code

Key Explanation Comment
code The server returns the authorization code in the query string
state The server returns the same state value that you passed optional

The client application is requesting an access_token by using the authorization code. In addition to the pure Oauth2 implementation, the additional parameter vg is necesarry

Key Explanation Comment
client_id The client ID you received after the registration
client_secret The client secret you received after the registration
vg The code of the Miele subsidiary, your Miele account is registered to (e.g. de-DE, en-EN, nl-NL ...)
code the authorization code returned by the authorization server before is complete
grant_type The grant type for this flow is authorization_code
redirect_uri Must be identical to the redirect URI provided in the original link

The Authorization server returns the access token

Key Explanation Comment
access_token The access_token for the subsequent API calls
refresh_token The refresh_token to refresh the access_token before it becomes invalid
token_type The type of the access_token always BEARER
expires_in The period of validity of the tokens in seconds

The client application has to use the access_token for all subsequent API calls

Key Explanation Comment
access_token The access_code for the every single API call

The Resource Server returns the requested resources