Eight Sleep Controller
2025shippedReverse-engineered Eight Sleep's API to control my smart bed with hardware buttons instead of the app.
// GitHub
// Problem
I wanted to adjust my Eight Sleep bed temperature with a physical button, not the iPhone app. Eight Sleep has no official API and uses certificate pinning to block traffic interception.
// Solution
Used mitmproxy with custom Python scripts to bypass cert pinning and capture the auth flow. Built a TypeScript client for OAuth and temperature control, with a ButtonController framework for physical hardware triggers.
// What I Built
SmartBedAPI: a TypeScript class that authenticates via OAuth, discovers devices, and sets temperature (-100 to +100) for each bed side. ButtonController supports GPIO, USB HID, serial, and wireless inputs. Includes mitmproxy addons for traffic capture and full documentation of Eight Sleep's undocumented endpoints.
// Technologies
mitmproxy
HTTPS interception with custom addons to bypass cert pinning and capture OAuth flows.
TypeScript + Bun
SmartBedAPI client handling OAuth, sessions, and REST calls to Eight Sleep servers.
Python
mitmproxy addons for TLS interception and exporting traffic to JSON.
Eight Sleep REST API
Reverse-engineered OAuth, device discovery, and temperature control across three API domains.
Hardware Integration Framework
ButtonController abstraction supporting GPIO, USB HID, serial, and wireless inputs.
// Lessons Learned
- 01Cert pinning is bypassed by intercepting at the TLS layer. mitmproxy's --ssl-insecure flag plus custom addons handled it.
- 02API reverse-engineering is pattern recognition. Standard OAuth, predictable REST naming, JSON payloads. The hard part is initial capture; the rest is documentation.
- 03Interest-driven projects teach more than tutorials. Wanting a button instead of an app taught me TLS, OAuth, and embedded systems.
- 04Designing for hardware extensibility upfront cost nothing. The GPIO/USB/serial/wireless abstraction was ready when I needed it.