Hi Everyone -
It has been basically impossible for me to get information out to users over the past few weeks during these issues due to constant github issues being created. So I am writing this forum post so that there is a central place I can put information where it is highly visible. Feel free to skip all of this and just read the TLDR
Beginning of September, users started experiencing an issue that was seemingly fixed by adding a useragent. The previous github repository for myq was abandoned, so in order to make the change - I created a github organization and published the repository there. I personally do not have a MyQ device, so I was at the mercy of some other users testing for me. But the solution I settled on was if the use got a 400 error, it would generate a user-agent. And that seemingly fixed the problems on September 26th
On September 29th users started having issues again - it was fixed October 2nd by parsing a few additional tags for the login, and changing some of the things we do when we login.
A few days later, it broke again, and was fixed October 10th.
It broke the next morning and was fixed October 11th
It worked until October 18th, however, for some users it never started working, this is because they manually applied fixes that weren’t being overridden. This is just a brief reminder that if you aren’t aware of what terminal commands someone gives you are doing, you shouldn’t do them, and instead wait for official fixes. But that is besides the point
MyQ has enabled cloudflare bot protection which uses Machine Learning to determine what is a bot and what isn’t.
This makes the task much harder to overcome. There are some changes that seem promising, but the issue is once I make said changes and everyone updates their myq instance, the bot protection will pick that up and myq will again be broken - this is partially why some other implementations of the myq api are still working, they have a smaller user count and the bot protection has not picked up on it (yet).
Let me make a few things clear, this has nothing to do with rate limiting. I have seen a lot of users talk about how we should implement a option to change how frequently we poll for data, or just don’t use the api as much as we do now. The issue is only with authenticating - that is the only part that the anti bot protection is enabled. It does not matter how frequently you get data from myq, as soon as you need to reauth yourself, you can end up getting a 429 error - it is not a 429 error in the traditional sense.
I am in discussion with a few other third party myq developers and we will attempt to fix the problem, but it does not seem like there is an easy solution. I am primarily talking with the developer of the homebridge version of myq who has been maintaining that api for 10 years.
MyQ is explicitly attempting to block third party integrations, and when it comes down to it - when you have a team of software engineers getting paid to block us vs people attempting to reverse engineer the api in their free time, the paid software engineers are going to win over the long term.
I would recommend one of the following options
Use one of the recommended partners for myq and integrate that into home assistant.
Buy a fully local solution such as Ratgdo, open garage, or meross. In my opinion, ratgdo is the best as it gives you all of the data you could want, but they are backordered and the other options are good as well.
Wait and see if we get it fixed
If you switch off of myq, I’d delete your account and remove the device, no need to allow access into your home anymore.
I would also recommend making your voice heard and tweeting at myq - while it is unlikely it will change anything, I think it is helpful to make your voice heard.
A) This would still probably fail with the bot protection - our issues have no relation to how frequently we ping their servers
A) We are playing a game of cat and mouse with MyQ and right now it looks like the cat is winning. You can see here that myq has openly stated that they want to block all non-supported apis for ‘security’. In reality, I believe it is for one of the following three reasons:
They want to lower server cost
They want you to see their ads for their other products - if you aren’t using the app, it is unlikely you will buy their other products
They want to sell their subscription services, like the MyQ Tesla app which they are selling for $45 a year.
If they really cared about user security, they would give users the option to connect with their device 100% locally.
A) This is not something MyQ seems interested in. I reached out September 27th to get added to the Works with MyQ portal. On September 28th - It routed me to someone in sales who has been attempting to help me and connect me with someone in corporate. October 4th I followed up, and was told I should hear from someone in a few days. October 12th- I followed up again and was told again my request was forwarded to someone in corporate. October 19th - I followed up once more and heard nothing. I sent one more follow up this morning, October 23rd, and I let them know I was planning to recommend all of our users to ditch MyQ, and they told me they forwarded the request to their boss to try to get corporate to respond. But I am not optimistic.
A) Right now - no, a fix seems possible, so the integration is not dead and I hope it never will be, but that is a possibility in the long term.
TLDR: MyQ has added cloudflare bot protection to the authentication step of the login phase, it is incredibly hard to beat, we will continue to attempt to get the api working again, but it may be a losing battle. This is why you should always prefer to have non-cloud devices, you are at the mercy of a company. I would recommend looking at local options such as RATGDO, OpenGarage, Meross, etc. If that isn’t an option for you -all you can do is wait and hope we figure this out or attempt to connect to a ‘supported’ myq partner and then add that to home assistant.
My Latest update (11/6/2023) -
The MyQ Integration will be officially removed from Home Assistant in 2023.12 Read about that here.
This is unfortunate, but it is seemingly the best move forward. Since I last updated, MyQ has continued to lock down their api - they are also doing a Firebase app check - That is in addition to the CloudFlare bot protection - and the REST call checks. It’s a whole lot of effort just to block third party integrations from communicating with the myq servers.
I know some people are still attempting to find a solution - and I’d be happy to help implement as long as it seems like it can truly be a long lasting solution.