Skip to content

Spec device ID masquerading #2221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tulir merged 1 commit into from
Oct 8, 2025
Merged

Spec device ID masquerading #2221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/application_service/newsfragments/2221.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow application services to masquerade as specific devices belonging to users, as per [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326).
1 change: 1 addition & 0 deletions changelogs/client_server/newsfragments/2221.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow application services to masquerade as specific devices belonging to users, as per [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326).
13 changes: 12 additions & 1 deletion content/application-service-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,7 @@ service would like to masquerade as.
Inputs:
- Application service token (`as_token`)
- User ID in the AS namespace to act as.
- Device ID belonging to the User ID to act with.

Notes:
- This applies to all aspects of the Client-Server API, except for
Expand All @@ -375,9 +376,19 @@ service's `user` namespaces. If the parameter is missing, the homeserver
is to assume the application service intends to act as the user implied
by the `sender_localpart` property of the registration.

{{% added-in v="1.17" %}} Application services MAY similarly masquerade
as a specific device ID belonging the user ID through use of the `device_id`
query string parameter on the request. If the given device ID is not known
to belong to the user, the server will return a 400 `M_UNKNOWN_DEVICE` error.
If no `user_id` is supplied, the `device_id` MUST belong to the user implied
by the `sender_localpart` property of the application service's registration.
If no `device_id` is supplied, the homeserver is to assume the request is
being made without a device ID and will fail to complete operations which
require a device ID (such as uploading one-time keys).

An example request would be:

GET /_matrix/client/v3/account/whoami?user_id=@_irc_user:example.org
GET /_matrix/client/v3/account/whoami?user_id=@_irc_user:example.org&device_id=ABC123
Authorization: Bearer YourApplicationServiceTokenHere

#### Timestamp massaging
Expand Down
4 changes: 4 additions & 0 deletions content/client-server-api/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,10 @@ The server did not understand the request. This is expected to be returned with
a 404 HTTP status code if the endpoint is not implemented or a 405 HTTP status
code if the endpoint is implemented, but the incorrect HTTP method is used.

`M_UNKNOWN_DEVICE`
{{% added-in v="1.17" %}} The device ID supplied by the application service does
not belong to the user ID during [identity assertion](/application-service-api/#identity-assertion).

`M_UNKNOWN`
An unknown error has occurred.

Expand Down