Until now I’m accessing the REST API from some shell scripts with curl using legacy authentication like this:
curl -k -X POST -H "x-ha-access: my_secret_api_password" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}' https://hass.example.org:8123/api/services/switch/turn_on
Now I wanted to achieve the same using an authentication token I generated in my HA user profile, but I don’t get this running.
I assumed, I just have to replace the x-ha-access header by an Authorization header:
curl -k -X POST -H "Authorization: MyNotSoSecretTokenName myVeryLoooo0ooOOOngAndSecretToken" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}' https://hass.example.org:8123/api/services/switch/turn_on
But that obviously didn’t work, as this just returns 401: Unauthorized on client side and drops an error in the HA log:
2018-10-21 22:09:42 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.4.251
What am I doing wrong here?
2 Likes
I have managed to get this to work for the ‘HTTP Shortcuts’ Android App I’m using by inserting the work ‘Authorization’ and the string ‘Bearer myVeryLoooo0ooOOOngAndSecretToken’ for the header section, i.e. actually using the word ‘Bearer’ instead of your ‘MyNotSoSecretTokenName’, but very similar.
Don’t know how the app turns it into a curl-command, though.
1 Like
tmjpugh:
Maybe this helps
I read the docs, but misinterpreted them. I thought Bearer was a placeholder for the token name and not the actual keyword to be used in the header.
Thanks, that did the trick. Bearer in front of the token.
So just for the record, this is my working curl request:
curl -k -X POST -H "Authorization: Bearer myVeryLoooo0ooOOOngAndSecretToken" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}' https://hass.example.org:8123/api/services/switch/turn_on
6 Likes
Great, good to know it works with curl, too.
Would you mind marking this topic as solved - might help some other folks to get on te right track quicker.
It’s marked as solved already.
SCCMOG
August 26, 2019, 10:32am
8
Quick question…
Is this secure? as i need to communicate between 2 HASS installations but do not want the access token sent in clear text in the header.
They will both be using HTTPS, so I guess my question is… is the initial post secure or not?
Cheers in advance!
Richie
tmjpugh
August 26, 2019, 5:31pm
9
YES. Initial post show https endpoint.
If this is home LAN may not be big concern since if someone on LAN sniffing traffic you have bigger concern than ability to login HA.
For business or Connection over wan, https is best
1 Like
SCCMOG
August 26, 2019, 6:03pm
10
Thought so! Had a blank moment thanks for confirming mate.
Klagio
November 2, 2019, 7:16pm
11
chairstacker:
I have managed to get this to work for the ‘HTTP Shortcuts’ Android App I’m using by inserting the work ‘Authorization’ and the string ‘Bearer myVeryLoooo0ooOOOngAndSecretToken’ for the header section, i.e. actually using the word ‘Bearer’ instead of your ‘MyNotSoSecretTokenName’, but very similar.
Hi, now that in 0.101 I can’t put the password in the URL need to find solution for my HTTP shortcut app, but I d onot understand your solution …
I have to put this in the header section?
Authorization: Bearer myVeryLoooo0ooOOOngAndSecretToken
without quotes?
Didn’t know, I actually have to use the keyword 
