I have created an API token for my user and it is displayed in my profile. I was planning to use it with HABSpeaker but I think that project is dormant or abandoned so now I want to use it with the official openHAB Android app. Does the name matter? I don’t thinks so but we’ll see.
In the openHAB Setting→Server openHAB→Local, I have the Local server URL set to http://192.168.4.29:8080, Username is set to my API token and Password is not set. It looks like the local server is intended to be an https URL not http and the API Token is visible in plain text on this screen!
I was getting a message saying that there was no sitemap but I found some old, 2023, messages about this and so I created an empty sitemap and now it seems happy although that issue still exists in v4.3.0
My question is this: When I go to the Main UI, it asks me to sign in. I thought the point of an API Token was that you no longer need a username and password, no? Even if I give it my username and password, I can’t sign in. The logs say:
``2025-10-15 17:20:50.534 [WARN ] [uth.internal.AbstractAuthPageServlet] - Authentication failed from 192.168.4.24: Wrong password for user steve``
Can you have an API token and a password?
The user role can only access the Items and UI related REST API endpoints. They cannot access any of the administration parts of MainUI.
The admin role can access everything, of course.
By default in MainUI → Settings → API Security the “Implicit user role” is enabled. This means that any non-authenticated user (i.e. one that has not logged in) is treated like it has the user rule. If you disable this, you must log in in orfer to access any part of OH.
The authtoken can be passed as part of an HTTP request to the OH REST API to authenticate and get authorization to access that end point, but it doesn’t log you in. It doesn’t give you a role. It just lets the REST API complete. For this reason, authtokens are mainly used for external programs to interact with OH.
But MainUI needs you to log in so it knows what parts of the UI it can show to you. The authtoken doesn’t provide sufficient information.
So you can lock down your OH instance a little bit by disabling the implicit user role and use the authtoken in the Android app and you’ll be able to bring up the UIs like a user without logging in. But you must log in to access the admin parts of MainUI.
Also don’t get confused by the different users and passwords. The username/password field in the Android app is for cases where you have to authenticate before you can even get to openHAB. For example, when OH is behind a reverse proxy or accessed through myopenhab.org.
This user is not the same as the openHAB user which has an admin role or a user role. Those users are separate and local to OH itself.
