Separate passwords for each API endpoint

From a security point of view, I highly dislike the one, global API password that lets you do everything. My initial thought was to have a different password for the HTTP interface vs. the API. But, even that, if someone figures out or snoops out your API password, they have control over everything.

I would like to see a new optional parameter on every configuration object that allows you to create a new API password that only has access to that one specific component.

Going further, perhaps the ability to add API users and define what actions they can take.

I’m sure there’s a million ways to improve security in this fashion, so I open this up to discussion. But, I do believe this should be considered a high priority request as securing external access to our systems should be paramount.

1 Like

You may want to look at this Pull Request (PR)… Always a good idea to look at Issues and PRs on github as they give you an idea of what’s coming next…

Thanks, but that has nothing to do with what I’m requesting.

If my API password is “password123” and I go make a IFTTT trigger with “?api_password=password123” and someone sees that/figures it out, then now have my password to control EVERYTHING in my system, or to log into my HTTP interface and see my logs, history, locations, etc.

Are you saying if they see this on the IFTTT side or on the HA side (in your config files)?

On the road map for HA there’s support for User Management. This would most likely be bundled with this.

Sorry for digging this old post. I’m surprise it is still not yet implemented to this day. I find it pretty uncomfortable to use the same password for everything. Please let us have separate password for http and API.

3 Likes