0.90 Update: api_password is going to deprecate


So I updated a few minutes ago and everything went straight through, good work guys!
The only thing I don’t understand is I still get an error/log saying:

api_password is going to deprecate. You need to use a bearer token to access /api/states from

So first thing, I do not have the http: part in my configuration file. Second, that IP address, I don’t use it my scope at home, so where the heck is that address coming from?

What am I missing to get rid of that error? is the docker container

Oh okay, but any idea why I get the error?

do you have an auth provider?
any reason no http: in config? (even if nothing added)?

No I don’t.
I actually removed it because I would see if that did the trick.

you have to replace the api_password under http with the legacy_api_password under auth providershttps://www.home-assistant.io/docs/authentication/providers/

But I removed that part completely and still, my HA didn’t wanted to boot afterwards.
Right now I’m running with only:


… And I removed the auth_providers:
Which fixed my boot problem.

first guess would be something was wrong in the auth providers section.

Have you tried deleting the “Legacy API User” (going from memory) account?

If not, go to Configuration, Users and delete the Legacy API User.

Add the following to your config:-

   - type: homeassistant

… as per the instructions at https://www.home-assistant.io/docs/authentication/providers/

This fixed the error for me.

I haven’t, but maybe I should give it a try.
One silly question though. What exactly are the benefit of doing this?
I mean what does the code actually do? What happens when it works?

If you are using the user based (homeassistant) authentication and do not use the API password mechanism, it is just another vector for attack.

I disabled the API password, removed the API user, and limited my auth providers to only home assistant, and I have had no ill effects whatsoever with logging in and everything continued to work. Interestingly though, I immediately starting getting invalid logins from multiple IP addresses that I am not in control of and have no knowledge of. I can only think that somehow API password was known to these endpoints.

So far, I have had 4 IP addresses appear in my ip_bans.yaml file - all of them from the same set of IP addresses owned by the same hosting provider local to my area (which is in Melbourne, Australia, so not a hacking hotspot). Very odd, and a little concerning, but I am glad I did it now.

… update! Worked out who it was! It was me! :grinning: They were IP addresses from my VPN … didn’t realise until I cracked open the IOS app when I was out and about, and got a “forbidden” message. I had to turn off legacy mode in the IOS app.

Embarrassing, but at least I know it is working as expected!

1 Like

Sure thing :slight_smile:.

Btw, did you remove http: in your conf file as well?
I don’t have anything in it, so is it really needed?

So I tried this and made sure no user named the above and it still works now after a reboot.
Unfortunately I do still get this error:

api_password is going to deprecate. You need to use a bearer token to access /api/states from

I don’t know how and where I can change that part :(:sleepy:

I definitely till have a HTTP section. It has the following in it:-

ssl_certificate: !secret ssl_certificate
ssl_key: !secret ssl_key
base_url: !secret base_url
ip_ban_enabled: True
login_attempts_threshold: 5

I guess if you are not using SSL then and don’t want automatic discovery of your HA instance on the iPhone app whilst you are on your LAN, it may not be needed.

I would suggest that if you can access the HA instance externally, then it would be very advisable to use SSL. I use it through DuckDNS Hassio addon, which automatically generates new LetsEncrypt certificates without me ever having to worry about it.