mintapi: Login Doesn't Work...

The following patch works for me.

@@ -118,11 +118,14 @@ class Mint(requests.Session):
         except RuntimeError:
             raise Exception('Failed to load Mint login page')

-        data = {'username': email}
+        self.cookies['ius_session'] = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
+        response = self.post('https://accounts.mint.com/access_client/sign_in',headers=self.json_headers, json={'username': email, 'password': password})
+
+        data = {'clientType': 'Mint', 'authid': json.loads(response.text)['iamTicket']['userId']}
         response = self.post('https://wwws.mint.com/getUserPod.xevent',
                              data=data, headers=self.json_headers).text

-        data = {'username': email, 'password': password, 'task': 'L',
+        data = {'task': 'L',
                 'browser': 'firefox', 'browserVersion': '27', 'os': 'linux'}
         response = self.post('https://wwws.mint.com/loginUserSubmit.xevent',
                              data=data, headers=self.json_headers).text

Since someone suggested moving away from python and another suggesting we move away from mint, I figured I would post this other idea I’ve been thinking of… Plaid.

With a demonstration account at https://plaid.com, I can authenticate to my banks directly using my own code and use their api to get my data without using mint, waveaccounting or anything else.

I’m thinking of using plaid to develop a very simple bank aggregation api for myself. Would that be of interest to anyone?

Thanks for the summary @alizrrao , I just pushed up (and released as 1.19) changes which update the URLs, and also provide a command-line parameter (--session=IUS_SESSION_COOKIE) to make this a little easier. @dyburke, any progress on automating it?

I’m officially on this. If you look at my track record, that doesn’t really mean a whole lot… BUT, I one time got disqualified for a cute baby contest online after forging about a million votes (I know, it sounds really bad…long story) and I’m very motivated by this project as I don’t feel Mint does a very good job giving me tools to manage my finances and I would like to stop using so many spreadsheets and make a life planner app.

TL;DR I’m neck deep in HTTP traffic trying to figure this out. I’ll give up the deets if I find them first.

I’ve been using this setup since June now, no manual grabbing of cookies necessary:

Install PhantomJS and download the script. Modify the script with your mint login information. Run phantomjs 2fa_login.js and do the first time setup with the 2 factor authentication code.

The phantomjs script outputs the ius_session in a file call ius_session. So after the one-time setup, just call mintapi as so to refresh the ius_session cookie before using mintapi to login:

import subprocess
subprocess.call(['phantomjs', '2fa_login.js'])
with open('ius_session') as f:
    cookie = f.read()

api = mintapi.Mint(email, pw, session_cookie=cookie)

The phantom js script is messy but works, so if someone wants to take the initiative to clean it up and make it easier to use, go for it!

https://www.buxfer.com/help/api has a nice API that’s free…

This should be reopened. After updating to the latest commit, I now call the mintapi with the ius_session supplied:

mintapi.Mint(email, password, ius_session)

However, I now get KeyError: 'iamTicket'

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "mintapi/api.py", line 59, in __init__
    self.login_and_get_token(email, password, ius_session)
  File "mintapi/api.py", line 129, in login_and_get_token
    data = {'clientType': 'Mint', 'authid': json_response['iamTicket']['userId']}
KeyError: 'iamTicket'

I’m having the exact same issue

Has anyone figured out how to get past the Key Erorr: 'iamTicket' problem? I am still trying to figure out where we should be capturing this.

What worked for me was logging in, having a browser window open to https://accounts.mint.com/xdr.html?v2=true&corsEnabled, and copying ius_session from the “Application” tab in Chrome’s inspector.

To summarize, as a temporary workaround, follow these steps for login to work again:

1. Manually pass the ius_session cookie when logging in as @xinluh and @jeffmikels described.
2. Change all occurrences of ‘wwws.mint.com’ to ‘mint.intuit.com’.
3. Change all occurrences ‘accounts.mint.com’ to ‘accounts.intuit.com’.

Nevermind; I figured out what was going wrong. So close I can smell it…

Hey everyone.

I feel like I’m getting pretty close, but there is a key that I’m missing between the POST to accounts.intuit.com/ius_proxy/v1/users/me/select_accounts and accounts.intuit.com/access_client/sign_in where our browsers somehow get their hands on the namespaceID that is returned back to us as the qbn.parentid.

If anyone figures out where this comes from, please let me know; I’ll keep searching.

Thanks, Dylan

I got a slightly modified @xinluh phantomjs method working on a linux box (no desktop installed), where my python script controls phantomjs. I switched it to send me an SMS captcha code to my google voice account, which the python script monitors and can send to phantomjs (could modify for email too). This is a pain/overkill, but it works for me. Code is linked below, modified from my original form (untested 😃…) for clarity, so might need a little debugging to get going.

Modified 2fa_login.js (search for //BCHANGE to see modifications)

Python phantomjs control: phantomjsmint.py

Note: to help debug PhantomJS, as well as the dumps on html in the code, you can save a screenshot in the check functions: page.render(‘3_captcha.png’);. One pJs modification was the submit button was disabled for me so it wouldn’t click through.

If anyone missed it, all urls that have wwws.mint.com need to be switched to mint.intuit.com (should replace in mintapi).

Looks like mint changed the website access URL’s from mint.com to mint.intuit.com

for example https://wwws.mint.com/login.event is now https://mint.intuit.com/login.event. The URL calls in the script need to be updated.

i use it in conjunction with bitbar to show me my account balances and recent transactions since they have discontinued the Mint QuickView app. I don’t know why they keep making it harder to use their software.

I login frequently and typically close the tab after I’m done.

@boondawgy - that’s the answer. Mint occasionally (daily) validates that the ius_session cookie is being used from a browser. Therefore when you login in via chrome - the ius_session is validated and then can be used with mintapi.

To require the mintapi user to visit mint.com in a browser every day (by my experience -ius_session “expires” daily) is not a robust solution.

Ok this is very interesting - I navigated to https://wwws.mint.com/login.event in Incognito Mode and I didn’t attempt to login - I just visited the page; I then grabbed the ius_session and tried it in mint_api. It worked without issue…

It would seems that ius_session isn’t tied to a specific mint account and all it does is validate that the login is occurring from a browser (and possibly a specific IP address).

So a possible solution would be to use something like Selenium just to navigate to that page (without needing to fill any forms etc.) and just grab the ius_session cookie.

(To actually recreate the proper requests isn’t feasible because the javascript is obfuscated. see https://github.com/mrooney/mintapi/issues/73#issuecomment-229083076)

If anyone wants to use Personal Capital instead I have created a Python library for accessing the API. https://github.com/haochi/personalcapital The documentation is a bit lacking right now but you can check out the example in main.py in the mean time.

Not sure if this is helpful, but there seems to be a way to prevent the ius_session from from expiring. I went to Mint using Firefox, and grabbed the ius_session from there after logging in, then I just ignored the browser. As long as I leave the browser tab open (even after mint auto signs out), the value seems to be valid. I was able to use the same ius_session for more than 20 days until I restarted my computer and it expired.

mintapi is a very nice interface to Mint. I don’t think a rewrite in another language or against another service is necessary due to this bug. Hopefully someone can submit a PR sometime soon.

It looks like when I generate a new ius_session with xdr.html, when I try to use it in the next call (https://accounts.mint.com/access_client/sign_in) it forces captcha validation:

Response: {“iamTicket”:null,“action”:“CHALLENGE”,“riskLevel”:“MED”,“challenge”:[{“primary”:true,“type”:“CAPTCHA”,“value”:null,“country”:null,“tokenFormat”:null},{“primary”:false,“type”:“CARE”,“value”:null,“country”:null,“tokenFormat”:null}]}

Were you able to get past this?

@rrichmond you have to login to mint with a browser and get the ius_session, edit the api.py and set the self.cookies[‘ius_session’] = variable for it to work.

Can you try again after normal login with a Web browser? I had the same error, but it started working fine when I logged into the site with a browser. There seems to be a missing piece in my patch. I don’t know yet what it is.

However, the ius_session I am using in the script is the one I grabbed from my browser cookies. There is a magical combination of cookies here, and I know there is a way to get them all.