mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 07:04:23 -05:00
[GH-ISSUE #4961] [Feature] Support header and OpenID Connect authentication in API client #79539
Closed
opened 2026-05-19 02:30:07 -05:00 by GiteaMirror
·
4 comments
No Branch/Tag Specified
master
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
api-browser-custom-data-dir
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#79539
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @latetedemelon on GitHub (May 8, 2025).
Original GitHub issue: https://github.com/actualbudget/actual/issues/4961
Verified feature request does not already exist?
💻
Pitch: what problem are you trying to solve?
The official @actual-app/api client currently only supports password-based authentication through a password parameter in api.init() and does not expose any mechanism to leverage server-side header-based (x-actual-password) or OpenID Connect flows for non-interactive authentication.
While the Actual Server supports multiple login methods including header auth and an experimental OpenID Connect provider integration the client library does not allow API consumers to configure or use these alternative auth methods, forcing scripts to rely on embedding server passwords and preventing the use of SSO or API tokens in headless workflows.
Describe your ideal solution to this problem
Add an authMethod option to api.init() (Node.js) and with allowed values password | header | openid, mirroring the server’s loginMethod and allowedLoginMethods settings. Ideally we'd be able to support different methods via the API vs. the UI at the same time.
Header mode: accept a long-lived API token or header secret and send it as x-actual-password on every request, eliminating reliance on the password form.
OpenID mode: implement a non-interactive OAuth2/OIDC client-credentials or device-flow to obtain and refresh bearer tokens for scripting contexts, leveraging the OpenID Connect provider feature.
Teaching and learning
Documentation: Update the “Using the API” docs with clear examples for each authMethod, including sample code snippets.
Migration guide: Provide a guide showing how to switch existing scripts from password to header or OpenID modes.
Testing: Add automated tests covering password, header, and OpenID authentication flows against a test server configured for each method.
Discoverability: Add an “Authentication Methods” section to the README, and link prominently in the API docs, so users immediately see alternate auth options.
@github-actions[bot] commented on GitHub (May 8, 2025):
✨ Thanks for sharing your idea! ✨
This repository uses lodash style issue management for enhancements. That means enhancement issues are automatically closed. This doesn’t mean we don’t accept feature requests, though! We will consider implementing ones that receive many upvotes, and we welcome contributions for any feature requests marked as needing votes (just post a comment first so we can help you make a successful contribution).
The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+
Don’t forget to upvote the top comment with 👍!
@Ovyerus commented on GitHub (Aug 5, 2025):
+1, would love to be able to write a thing to integrate my bank with Actual to create transactions automatically, but I'm also using OIDC.
Rather than needing the API package to know OIDC stuff, I think just letting users generate an API key to put in the password option (or a different name if that's not possible, not sure of how it works internally) would be simpler and best, and would also open it up to creating API keys with certain permissions (e.g. read-only, scoped to certain accounts) later on if wanted.
@bertmelis commented on GitHub (Sep 5, 2025):
I haven't tried it, but can you currently use password based logins for your external applications while using OIDC as a user?
@tscibilia commented on GitHub (Sep 8, 2025):
Confirmed this works with both password and OIDC enabled, from what I understand, just don't enforce OIDC and allow for both login methods. I got some guidance from... https://github.com/seriouslag/actual-auto-sync/issues/8