Implement new Wyze API Key authentication method

[stere0123]

Hi, I received an email from Wyze indicating they are updating their authentication endpoint, and third party services will need to use a new API Key authentication method. The cutoff for this change is July 7, 2023 (30 days from now). I assume this will affect Docker Wyze Bridge.

Link to Wyze documentation for creating a new API Key: https://support.wyze.com/hc/en-us/articles/16129834216731

Attached email from Wyze:

Dear friend of Wyze,

As Wyze continues efforts to improve your experience and security, we are upgrading our authentication endpoint. We are reaching out to inform you of a few changes coming to the Wyze app that you know and love.

As of July 7th, 2023 you will need to have updated your Wyze app beyond version 2.38 (Android and iOS devices) to be able to keep utilizing features as normal. Bottom line…now is the time to update your Wyze app.

As of now, you have 30 days before this change goes into effect. From that point, any app that is installed and is less than 2.38 will not be available for use. Please note that the latest Wyze app will need a minimum OS version to operate.

Android: 7.0+

iOS: 14.0+

*For users of Home Bridge/Home Assistant We have developed a portal for you to generate an API Key. Please follow these steps to update your script. Please make sure to update your script with this new endpoint to continue connecting to Wyze Cloud.

As always, your support means the world to us! We are here for you if anything comes up. Please contact Customer Support if you run into any issues.

Many thanks,

Your friends at Wyze

[tardis89]

Just got this and was wondering the same.

[mrlt8]

The changes to the API were noted a few releases ago #793, and a forced update was to be expected.

Fortunately, I already have a working fix for the v3 API on my local branch.

Not sure what the benefit of this new API key is if we still have to provide the email and password, as it seems like an unnecessary extra step?

[MrM-code]

Wyze has a new security in place to block bots and automation scripts so it is better to use the new API endpoint that they provided in the email.

[mrlt8]

As far as I can tell, all three user/login endpoints for authentication share the same cloudflare rate-limiting.

Only difference seems to be the header requirements.

[mrlt8]

API_KEY and API_ID are now available in v2.3.0.

Please let me know if you run into any issues.

[photinus]

I tried to switch over to API_KEY/API_ID, still getting prompted for a 2fa token to get entered into the text file. When entering the 2fa token into the text file I get repeatedly prompted for a new one and send multiple SMS tokens.

[mrlt8]

I just tried two different accounts with phone and TOTP verification, and they were both able to login without a code. Can you confirm you're on v2.3.0 and have the key/id set in your config:

environment:
    ...
    - API_ID=11111111-1111-1111-1111-111111111111
    - API_KEY=1111111111111111111111111111111111111111111111111111111111111111

[photinus]

Had that configured, still was getting the SMS messages, I did turn off the SMS and moved over to a TOTP 2fa. Now it's logging in, though based on the logs it's still using the 2fa.

[mrlt8]

What do you see if you manually curl the wyze api?

curl --request POST \
  --url https://auth-prod.api.wyze.com/api/user/login \
  --header 'Content-Type: application/json' \
  --header 'apikey: my-api-key' \
  --header 'keyid: myapikeyid' \
  --data '{"email":"email@email.com","password":"md5HashedPassword"}'

you can md5 hash your password with something like:

hash="MyPassword"; for _ in {1..3}; do hash=$(echo -n "$hash" | md5sum - | cut -c1-32); done; echo "$hash"

mfa_options and mfa_details should both be null

[cheme75]

I haven’t done mfa yet since I got so little at wyze that I’m not concerned and my pw is long and complicated so not the easiest to defeat. Anyway, it sounds like the API key will be necessary stating soon. When I looked at wyze info I only saw mention of creating the API key, no info on API ID? What am I missing?

[mrlt8]

You'll get an API ID when you generate a new API Key.

The API Key/ID will remain optional when using the bridge as we can fallback to the authentication endpoint that the app is using which doesn't require the ID/key.

One benefit of the API key is that it will let you skip the MFA verification step if you have that enabled. As for MFA, I believe it is still optional and can be turned off at any time (I believe the email 2fa is enabled by default but isn't required).

If you don't have MFA enabled then you can probably just leave things as is.

[cheme75]

You'll get an API ID when you generate a new API Key.

The API Key/ID will remain optional when using the bridge as we can fallback to the authentication endpoint that the app is using which doesn't require the ID/key.

One benefit of the API key is that it will let you skip the MFA verification step if you have that enabled. As for MFA, I believe it is still optional and can be turned off at any time (I believe the email 2fa is enabled by default but isn't required).

If you don't have MFA enabled then you can probably just leave things as is.

Once again an excellent explanation. Many thanks!

I’m one of the few who had their acct corrupted by wyze when they auto transitioned me from legacy PD to the initial cam lite that was a complete cluster of glitches. (Long tale of misery.) So I’ve been holding off on any acct level changes until after I move. My luck, any change could render the acct even more screwed up. After we move, I’ll reset everything, delete my acct and start over fresh and then I’ll add mfa and use the api key for convenience. Meanwhile I am leaning more into this bridge w/scrypted and homebridge for my other devices.

[mrlt8]

Everything seems to be working as expected.

Closing this for now, but please feel free to open another issue.

[aquariuz23]

Update: Fixed it so please ignore this.

For others in the future also with extremely limited knowledge with codes, I figured out my mistake. Add your API ID and Key to the end of the string this way:

1) remove the word environment (although might not matter) 2) type in API_ID: (not API_ID=) followed by your actual API ID from Wyze. 3) type in API_KEY: (not API_KEY=) followed by your actual API Key from Wyze. You will know it's correct when API_ID and API_Key turn orange like the rest. The actual ID and Key will remain white. 4) Save and restart Docker Wyze Bridge.

Hello good folks,

I am trying to get Docker Wyze Bridge to work with my HA. I am extremely new to this so please be patient with me, and apologies for necro'ing an old and closed thread.

I have Docker Wyze Bridge installed as an Add-on and it shows up on the left column, as expected. However, after configuring it, I repeatedly receive texts for my 2FA, but I have no way of adding it to the webUI. Following the guides, I added the API ID and API key by editing the options section, saved it and restarted. However, I kept receiving 2FA texts whenever I restart. Below is how I configured the YAML, which I'm almost certain is done incorrectly (email, password, KeyID and ApiKey are all actual proper info).

`WYZE_EMAIL: email WYZE_PASSWORD: password NET_MODE: ANY SNAPSHOT: API MQTT_DTOPIC: homeassistant ENABLE_AUDIO: false MOTION_API: false ON_DEMAND: true SUBSTREAM: false CAM_OPTIONS: [] environment:

• API_ID=APIID
• API_KEY=APIKEY`

I changed my 2FA from text to TOTP 2FA, specifically Google Authenticator, restarted both Docker Wyze Bridge as well as HA, but I still can't access my cameras. However, this time of course I no longer receive any 2FA text.