This page is an experiment in accessing the data of an Amazon Echo using plain JavaScript. This comes with some caveats:

You need to be signed into your Amazon Echo account for the unformatted links to function. Note that all links must be secure to return data.
For security reasons modern browsers prevent cross-site XMLHttpRequests between remote domains without CORS enabled. The underlying JS functions in this page will not work from the remote server. The page must be saved to local storage to function completely.
Some browsers, notably Firefox, do not allow cross-site XMLHttpRequests from the local domain without CORS enabled, so the underlying JS functions in this page will not work in them. Chrome can be forced to process XMLHttpRequests by disabling security with the --disable-web-security command-line flag, but do so at your own risk. Safari will process XMLHttpRequests originating from the local domain without modification, so that browser is being used for this experiment.

In the end it is a bit surprising that such simple code works at all, even in Safari, but that is because most of the authentication with Amazon’s server is handled by the browser.

Contents

Echo Configuration
Viewing User Data
Editing User Data
Online Documentation


Echo Configuration

Device Settings:

https://pitangui.amazon.com/api/devices/device   (formatted)
https://pitangui.amazon.com/api/device-preferences   (formatted)
https://pitangui.amazon.com/api/bluetooth   (formatted)
https://pitangui.amazon.com/api/wake-word   (formatted)

Customer Settings:

https://pitangui.amazon.com/api/customer-status   (formatted)
https://pitangui.amazon.com/api/authentication   (formatted)
https://pitangui.amazon.com/api/notifications   (formatted)

Streaming Services:

https://pitangui.amazon.com/api/media/provider-capabilities   (formatted)
https://pitangui.amazon.com/api/music-account-details   (formatted)
https://pitangui.amazon.com/api/third-party   (formatted)

Networked Hardware:

https://pitangui.amazon.com/api/phoenix (malformed JSON response)
https://pitangui.amazon.com/api/phoenix/group?size=100   (formatted)
https://pitangui.amazon.com/api/eon/accounts   (formatted)


Viewing User Data

Every recognized voice command is stored as a card. The entire set of active cards can be viewed with this link:

https://pitangui.amazon.com/api/cards   (formatted)

Cards do not appear to persist in the listing more than a few days, as can be seen by scrolling to the oldest. Cards do remain on the server after removal from the current listing and can be accessed individually.

Activate the button for the current

Individual cards are stored in a subdirectory labeled by the id field and can be accessed after escaping the pound sign in that field to its hex value.

Activate the button for a scrollable

card list will go here

Cards contain links to the audio data stored on Amazon’s server, which remains there indefinitely. All stored audio can be removed by visiting www.amazon.com/myx and choosing Devices > Manage voice recordings.

Activate the button for a scrollable list of links to

stored audio list will go here

Parallel to cards is a directory of activities, but the link

https://pitangui.amazon.com/api/activities

does not provide a JSON response. Individual activities can be accessed in this directory in the same ways as cards and with the same id.


To-dos are stored in a separate directory and are of two types: TASK and SHOPPING_ITEM. Retrieving them requires the size variable which has been set arbitrarily high:

https://pitangui.amazon.com/api/todos?type=TASK&size=100&complete=true|false
      (formatted)
https://pitangui.amazon.com/api/todos?type=SHOPPING_ITEM&size=100&complete=true|false
      (formatted)

Individual to-do items are stored in a subdirectory labeled by the part of the itemId after the pound sign. This value is the same as the todoId on the original audio card.

Activate the button for a

task list will go here

Activate the button for a

shopping list will go here

The JavaScript source includes a third task type, MESSAGEBOARD_POST, that is not yet implemented.


Editing User Data

Editing data can be done with an authenticated PUT to Amazon’s server that requires the value stored in their csrf cookie. Since JavaScript does not allow access to cookies for other domains, that numerical value must be found using your browser’s website resources inspector and entered in the following input:

Value in the csrf cookie:  

Once that value is entered, activate either button for an editable or

editable list will go here

The only fields that can currently be changed are complete, deleted and text, which are the fields accessible through the Echo web interface. Putting data on the server must be done with the entire JSON response, not individual fields one at a time.

Deleted tasks and shopping items remain on Amazon’s server after deletion and can still be accessed as individual items. They will not appear in to-do lists even after adding deleted=true|false to the query string.


Online Documentation

Official APIs:

https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit
https://developer.amazon.com/public/solutions/devices/echo/alexa-app-kit (initial private beta)

Unofficial APIs:

http://www.piettes.com/the-amazon-echo-api/

Online forums:

http://www.piettes.com/echo/


Uploaded 2015.04.27 — Updated 2015.06.25 analyticphysics.com