Automating your finances (and the Up API)

[ptagell]

A totally unsolicited bucket of tips relating specifically to managing money automatically.

[ptagell]

@colquhounking - if I were to take > 5 but < 10 mins would that work? Can get < 5 if I'm brutal and speak faster.

[ceels]

Between 5 and 10 will be fine!

[ptagell]

Some notes from my talk:

Why we built the Up API: https://up.com.au/blog/api_lets_hack_on_banking/ API Docs: https://developer.up.com.au/ Invite code: https://hook.up.me/paul

[davich]

Really enjoyed the talk, Thanks!. I had a couple more questions if you don't mind. For the security focused consumer, do you have things like

• Regenerating (or cycling) API keys?
• User accessible logs of what was accessed, when, and by whom?
• Ability to limit API access to an IP range?
• 2FA - eg. client requests a 2FA token, that gets sent to a preconfigured url. If the client owns that url they get the token and send it through with their next message. I guess the token would expire after some amount of time.

Thanks

[mtcmorris]

@davich - awesome ideas - cheers!

Cycling API keys is straight forward - you only ever have one access token - generating a new token will effectively revoke the old one.

For 2FA I don't quite follow - do you mean as a part of token generation? Or as part of accessing the API?

[davich]

As part of accessing the API As a client I'm about to GET the balance on my account. before I make that get call, I call generate_2fa_token on the API. The API makes an outbound call to my url (that I've pre-configured) with the 2fa token. I then use that token in my GET request. And that token is valid for the next 30 minutes (or whatever). Same concept as how some sites SMS a code to the mobile number they have on file for you. But this would be a POST request to the url they have on file. This could stop someone getting access to your account if your API key leaked.

[VanessaNimmo]

Video is finally up - apologies for the delay! https://youtu.be/AQVw0i-5tRc