Usage of REST API with access tokens?

Until now I’m accessing the REST API from some shell scripts with curl using legacy authentication like this:

curl -k -X POST -H "x-ha-access: my_secret_api_password" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}'

Now I wanted to achieve the same using an authentication token I generated in my HA user profile, but I don’t get this running.

I assumed, I just have to replace the x-ha-access header by an Authorization header:

curl -k -X POST -H "Authorization: MyNotSoSecretTokenName myVeryLoooo0ooOOOngAndSecretToken" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}'

But that obviously didn’t work, as this just returns 401: Unauthorized on client side and drops an error in the HA log:

2018-10-21 22:09:42 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from

What am I doing wrong here?


Maybe this helps

I have managed to get this to work for the ‘HTTP Shortcuts’ Android App I’m using by inserting the work ‘Authorization’ and the string ‘Bearer myVeryLoooo0ooOOOngAndSecretToken’ for the header section, i.e. actually using the word ‘Bearer’ instead of your ‘MyNotSoSecretTokenName’, but very similar.

Don’t know how the app turns it into a curl-command, though.

1 Like

I read the docs, but misinterpreted them. I thought Bearer was a placeholder for the token name and not the actual keyword to be used in the header.

Thanks, that did the trick. :slight_smile: Didn’t know, I actually have to use the keyword Bearer in front of the token.

So just for the record, this is my working curl request:

curl -k -X POST -H "Authorization: Bearer myVeryLoooo0ooOOOngAndSecretToken" -H "Content-Type: application/json" -d '{"entity_id": "switch.socket"}'


Great, good to know it works with curl, too.

Would you mind marking this topic as solved - might help some other folks to get on te right track quicker.

It’s marked as solved already. :slightly_smiling_face:

Quick question…

Is this secure? as i need to communicate between 2 HASS installations but do not want the access token sent in clear text in the header.

They will both be using HTTPS, so I guess my question is… is the initial post secure or not?

Cheers in advance!


YES. Initial post show https endpoint.
If connection is https then it is encrypted connection
If not using https, no. It will be clear.

If this is home LAN may not be big concern since if someone on LAN sniffing traffic you have bigger concern than ability to login HA.

For business or Connection over wan, https is best

1 Like

Thought so! Had a blank moment thanks for confirming mate.

Hi, now that in 0.101 I can’t put the password in the URL need to find solution for my HTTP shortcut app, but I d onot understand your solution …

I have to put this in the header section?

Authorization: Bearer myVeryLoooo0ooOOOngAndSecretToken

without quotes?