2FA in Auth API

crispinb · June 21, 2022, 10:08pm

I’m working on some software that contacts the checkvist API. The doc for the login call (/auth/login.json?version=2) seems to imply (the wording isn’t 100% clear) that a 2fa token is needed if the user has it enabled:

If user has 2-step verification enabled, API calls for obtaining the token should use Remote API key. Otherwise they should also contain 2-factor authentication code from the authentication app as the parameter token2fa.
Open API | Checkvist

However I’m finding with my account (which does have 2FA enabled) I can get a token using just the username and remote_key. Have I missed something?

And a more general question while I’m on this topic - I haven’t seen much mention of the API on this Discourse. Is this the right place to ask questions about it? If so perhaps you could add a relevant category or tag - it’s probably not of much interest to most checkvist users.

jakoubek · June 22, 2022, 5:03am

I too built an integration to the Checkvist API recently. And though I have enabled 2FA in my account I think that you don’t need it for API auth. And it wouldn’t make much sense either I guess, since inputting a 2FA code is a real “human” activity and an API integration on the other hand should run autonomously in most times.
But yes the API docs isn’t clear here.

And a more general question while I’m on this topic - I haven’t seen much mention of the API on this Discourse. Is this the right place to ask questions about it? If so perhaps you could add a relevant category or tag - it’s probably not of much interest to most checkvist users.

+1

API stuff is probably a niche topic but a specific forum category could collect API posts together and maybe attract other users.

crispinb · June 22, 2022, 6:16am

I’d be interested to hear anything you’re able to share about what you’ve integrated Checkvist with.

FWIW, mine is a commandline capture app for quickly pinging tasks off to a default list. It’s a bit of a toy project - in part it scratches an itch (thinking of something I quickly want to note in checkvist without heading over to a browser). In part it’s a learning project (new language). And I have thoughts down the line of doing something more ambitious with the API library I’m working on at some stage (ie. a Trello-ish view of a Checkvist list).

When I have the commandline app in a state manageable for regular users, I’ll post a github link here for others to use/try.

maxkir · June 23, 2022, 9:13pm

Hello,

Sorry for a slight delay with the answer.

By the current design, if you pass OpenAPI key (not password), the 2FA code is not required.
If you want to use a real user password, you need to provide 2FA code as an extra parameter (Checkvist mobile app uses this approach).

OpenAPI key is not a very secure thing, it is a secret key which should be used very carefully.

A very good point. Before introducing this forum, we had started an Google Groups discussion for API talks - and we should definitely add an API category into this forum instead. Will consider this!

Best,
KIR

crispinb · June 23, 2022, 10:33pm

Ah I see. Thanks for the clarification.