Thinking Big


I went with Home Assistant Cloud because I don’t want to open up ports in my firewall but still want to use one of the voice assistants. I access my home LAN using VPN and can then use it as if I was at home. I’m not really interested in opening up another way into my network through HA Cloud so I hope that remote access can be disabled. From my point of view it’s an unnecessary feature that can be accomplished in other ways. Sure those ways maybe less user friendly, but as long as we are still hand-typing in .yaml files I don’t think of another method for remote access as a priority that I want to pour 60$/year into.


About the payment. I get a bad feeling when I see text like “No payment information is being stored on our servers.” yet the payment page is on YOUR server. Unless you give me the source code and complete transparency to the server setup, I will not be inclined to trust you are handling my credit card data securely. You are not a financial institute with all the appropriate levels of security. If you want to show me as a potential customer that the payment info isn’t stored, the the payment should be done directly on the payment company´s (Stripe’s) server. I don’t want to try and read your JavaScript to verify how the payment is processed if that’s even possible. I do love Home Assistant, but you are making it tough sometimes. For now I think I’ll hold off until there are other payment options.


Yap, everytime we moved one component to config flow, some “advanced” user will shot out “I need manual config my device”

Anyway, the big trend happening now in HA is more and more components are moving towards UI config.

I hope you can look back and maybe revise your comment few release from now.


It is done directly on Stripe’s server. The payment information is never sent to our servers. We’re using Stripe.js, and from their documentation:

Stripe.js is our foundational JavaScript library for building payment flows. With it you can collect sensitive information from the user and create representative Tokens for safely sending that data to your servers.
Because all sensitive information is handled by Stripe.js, it features simple PCI compliance with SAQ A reporting.


A fiver says your mum wouldn’t use it even if it had the most user friendly interface that was ever invented. Some people just don’t have the inclination for these sorts of things.

I never really get the argument about the yaml files being terrible and we need a really good UI. So if there was 3 boxes on the UI and above the first it said “what’s your trigger”, and the second said “what’s your condition”, and the third said “what’s your action” your mum could fill it in, but if she actually has to write the words trigger, condition and action it’s too technical.

Regardless, the UI stuff has come on leaps and bounds. Buy your mum some flowers and tell her to try again in a few months, hopefully it’ll be mum-friendly by then :wink:


It is done directly on Stripe’s server. The payment information is never sent to our servers. We’re using Stripe.js, and from their documentation:

How would I know that by just looking at the rendered payment page? I looked at the URL and then I looked at the server certificate (from the padlock in the addressbar in my browser). They all give the impression that the traffic is through nabu casa. I don’t want to have to read frontend source before paying on the Internet.

Anyway, I said my bit and appreciate the fast answer on what data is sent where.


I was just gonna be happy with your answer. And subscribed. But then I get this on my account page:

You are currently enrolled in the Home Assistant Cloud trial. Your trial will end on October 17th, 2018 , after which we will charge your XXXX card ending at NNNN.
(personal data censored above)

So you say you don’t store my payment information, but still provide part of my credit card number. It looks like you say one thing and do another. Sure, I now you’ll answer, we just make an api call to Stripe, yadda-yadda, and we just display that result and didn’t really store my payment info. Yeah, but you still have access to my payment info by the looks of things. If I wasn’t too lazy to work around the personal assistant config in hass, this cloud service would have rubbed me the wrong way too many times to stay subscribed.


If you’re curious what information is available from Stripe, here is the full API object which is retrieved to show you that bit of data:

So yes, access to some of the data is available to us, but not the entire card number, CVC, etc. The UX retrieves enough for the typical subscription information most people expect on such a page.


Good for you if you’re happy if most people are satisfied. I’m trying to look thoroughly at a service (nabu casa) that asks me to trust them with both my payment information and access to my home network.

So the previous discussion reads like you’re ok with the payment page saying nabu casa stores no payment information but can still access a fair bit of it from the card info from Stripe.

Personally I don’t think my IRL name and definitely my home address is any of nabu casa’s business for providing this service. Sure Stripe needs it but nabu casa does not. The damage from a leak where all this “harmless” info is stolen together with access to my home assistant through remote access would be bad.

What if I have a home alarm system that Home Assistant can control or at least see the status of? I would certainly not want anyone to also be able to find the real world address in combination with access to my HA installation. If they did they could just check when I forget to activate the alarm or even disable the alarm and door lock if I had that in HA.

I’m being asked trust this kind of information to one or a few developers. Having responsibility for an ambitious list of new features as well as providing security for my my smart home and access to some of my personal payment information is a tough sell. Security will most likely be a side responsibility by comparison to other tasks, so the reliance on the community’s help in evaluating the security solution is important. That’s why I’m going on about this topic.


You think a credit card broker is much cheaper? Not in europe at least. And it seems that everyone thinlk that all people have a bank card. That is far from true. I live inside the Eu but bank cards is very rare here. I have but I am an immigrant


It’s worth noting that you can verify every payload that comes down to HASS yourself, and your HASS instance does signature checks on payloads relayed from Google/Amazon to verify they sent it as you requested.

I agree entirely, this is why we didn’t ask for your home address, phone number, etc. during the payment process.



excellent work. Love Homeassistant.
Is there a plan to get to Version 1.0.0? And if so will there be wider communications / articles on this fantastic platform?

Cheers all,


I read that and immediately thought back to the other day where I brought up rewriting the Tuya Component to work locally, which has already been accomplished by some fine people such as codetheweb & NorthernMan54 in codetheweb’s tuyapi nodejs repo. NorthernMan54 has even advanced further in effectively incorporating another tuya device (door/window sensors) that we have yet to see done in our tuya component. Keep in mind they did so all locally, no calls to tuya’s api.

The only issue is someone (of more skill than myself) would need to actively take on translating their nodejs into the new version of the python3 tuya component for HA.

I proposed this change by creating an Issue in two of home-assistant’s repositories (Issue created in the general home-assistant repo & Issue created in the architecture repo), but both Issues were promptly closed telling me that there wasn’t much desire to do such a thing.

Surely, you can see where these actions & your statement of wanting control to remain local whenever possible contradict each other, yes?

I’m not trying to start anything and by no means am I trying to be combative, but I will admit I was a little annoyed at how the dev of the home-assistant github account approached the situation.

For anyone who cares to have a look at the conversation I had with codetheweb & NorthernMan54 on the tuyapi nodejs repo you can do so starting at my comment here. And if you would like to see how NorthernMan54 successfully integrated Tuya’s Door/Window sensors you can see his current (working) version of that code here.

I hope that with these events brought to light, someone will consider taking on the task of converting the tuya component to function locally using the repository I provided as a guide.


@caffeinatedmike home-assistant repo is for bug report only, feature request should be submit in here, this forum. I redirected you to home-assistant/architecture repo since I think it might be fit there. Then @balloob replied you very clear

I think that this is not so much worth an architecture issue, we will always prefer local over remote API. So a contribution is welcome!

You got green light buddy, you can start your work and open a pull request for it.


As I’ve stated in my above comment, I don’t the knowledge required. I know python, but are in no way anywhere close to understanding the component structure or how to create said component. Plus, I don’t currently have devices that would allow me to test anything other than the simple wifi plugs/switches.


I don’t have a credit card . In the UK most sites charge 2.5% extra for using credit cards . I have debit cards and paypal how can I subscribe ?

Update: added my visa debit card and it seems to have accepted OK will wait and see when the trial runs out


When can I use this to remove control HA without VPN or opening a port?


its being worked on, so i doubt it ready yet its the first on the list though


What I hate the most (about my bank) is that I can set the card to work in three regions. My own country, Europe or the whole world. Having the card open for the whole world introduces own kinds of risks.

I would like to able to purchase a longer period at a time. Something from 4 to 12 months.

Now using cloud with alexa, love it! :slight_smile:
Waiting for what happens with tasker. Running some features in there too.


Donations point is stupid… why not take donations AND have a stable subscription fee ? Cmon.

Take donations.
Add paypal and yearly options to subscribe to your cloud, which I don’t even need but will be subscribing, so that I could support this python spaghetti.