Calling APIs with appPassword

Hi. I’m developing an Android app which log in to Nextcloud server and interact with Nextcloud Files (upload, delete, share files). I use LoginFlowV2 to log in. After logging in, I wanna call APIs without user’s password. I think about using JWT but the request from LoginFlowV2 returns an appPassword, not a JWT. So once user logged in, how can I use the appPassword for calling APIs? I really dont wanna use 3rd party app for JWT.

Are you using the Nextcloud Android libraries?

No. I login by using login flow v2.

Just use the app password as a password, see

I see. But I realized that flow v2 only used for known device. I run curl -X POST on the server and it works, but in other devices, it doesn’t. So I decided to use webview.
I can log in successfully in WebView but cannot grant access, even though I set 'overwriteprotocol' => 'https' in config.php. After logging in, I want to use appPassword for calling APIs, but the API to convert an appPassword requires a username and password, which the user has already provided in the webview:
curl -u username:password -H 'OCS-APIRequest: true'

Check on how the login flows work, there’s V1 and V2 which work a bit differently, depending on what you want to achieve.

Yes I’ve checked. The v2 is for known devices so that I choose to use v1, which is opening a WebView. But for that, I cannot receive the appPassword. As I said, I need to do this to get an appPassword:
curl -u username:password -H 'OCS-APIRequest: true'
But the user has already provided username and password in WebView. I can force them to type it again and to be honestly, storing password in a client app is not safe.

No, V2 is not for known devices, it just provides a url which needs to be opened and another url which needs to be polled.
V1 works without polling and uses a url scheme.

A call to getapppassword is not needed in both cases.
Please read the documentation on how login flow works.

1 Like

For V2, there’s no need to call an API to get appPassword. As I understand it, after verification successfully, the appPassword will be returned. But in V2, I do not see the username and password, so the verification process cannot be successful.

In both cases (V1 and V2) you receive (after successful auth) a username and a password/apptoken. Either via an redirect (V1) or via the polling endpoint (V2)

1 Like