The disclosure relates to using a control service to control external access to APIs of IoT devices on a private network. An external application can request access to an API, and in response, the control service can monitor broadcasts from the IoT devices indicating what APIs they have available. If a match exists, the control service can request user authorization to allow the requested access. The user can grant or deny the requested access, and place limitations on the authorized access. The control service uses this information to open a connection between the requesting application and the IoT device having the requested API, and via this connection, the requesting application can access and control the device running the requested API.