Issue accessing transactions through API after Sep security update

Hey All,

I have a very minor Python app which downloads my transactions offline.

I set it up using a very simple set-up:

  1. create a client using localhost as the redirect uri
  2. got the authorization_code from the email which was sent
  3. used the request library to obtain the access and refresh tokens:

url = ‘https://api.monzo.com/oauth2/token

headers = {
“grant_type”:“authorization_code”,
“client_id”:client_id, -> being the client I registered online
‘client_secret’:client_secret, -> being the secret I obtained once I registered the client
‘redirect_uri’:‘https://localhost’,
‘code’:authorization_code -> being the code obtained from step 2
}

res = r.post(url,data = headers).text -> this gave me the access code

After this I am able to query items in my account, i.e.

monzo = "api.monzo.com"
#get list of accounts

response = requests.get("https://{}/{}".format(monzo, 'accounts'), 
            headers={"Authorization": "Bearer {}".format(access_token)}) 

The above code works and gives me list of accounts. However, when I try to get my transactions using the below code, I get a 403 response:

params_data =  {
            "account_id": account_id }    

response = requests.get("https://{}/{}".format(monzo, 'balance'), 
            headers={"Authorization": "Bearer {}".format(access_token)},
            params=params_data)

response = “code”:“forbidden.verification_required”,“message”:“Verification required”

Any idea why this would happen?

How can I fix it?

I had the same problem which led me here, so did some digging. This is due to changes made for Strong Customer Authentication.

From the docs:

After a user has authenticated, your client can fetch all of their transactions, and after 5 minutes, it can only sync the last 90 days of transactions. If you need the user’s entire transaction history, you should consider fetching and storing it right after authentication.

In this case I guess you are requesting transactions older than 90 days. It looks like your options are to poll every few minutes, or to re-authenticate.

See also: Strong Customer Authentication: Upcoming changes to developer apps

1 Like

Additionally, make sure you’ve allowed the app in your app - you should get a push notification asking you to allow.

The error described happens after the app has already been allowed, but the 5 minutes has passed. The error doesn’t happen if the transactions filter only requests recent transactions.

The first post in the above thread pointed me at another solution to avoid re-authentication:

In the Monzo app, click your avatar, click the cog then “Settings”, and scroll down to Manage Apps. In here you can click your app name to refresh its session.