Hinata Wiki

Appearance

Monzo Full Re-authorisation

Run when the CT109 Monzo poll reports HTTP 401 / Bad refresh token. This is the only Bulma flow that requires the Mac — the browser OAuth + Monzo app approval is Apple-bound; polling itself lives on CT109 (bulma-finance, 192.168.1.214) and never runs on the Mac.

When to run

  • CT109 poll-monzo.log shows HTTP 401 / Bad refresh token
  • bulma-poll-monzo.timer is enabled but transactions stop advancing

When NOT to run

  • Access-token expiry — the poller refreshes that itself
  • Collector/network errors in the log — check the Z2 service first

The three steps (Mac)

bash
# 1. Browser OAuth — approve in the Monzo app when prompted
#    --force is REQUIRED when a broken token file already exists (the usual
#    case — the guard otherwise refuses to overwrite it)
python3 /Users/nnamdi/Sandpit/hinata-sandpit/scripts/reauth-monzo.py --force

# 2. Push fresh tokens to Z2 (never prints values)
bash /Users/nnamdi/Sandpit/hinata-sandpit/scripts/push-monzo-tokens.sh

# 3. Start the CT109 poll timer
ssh hinata-z2 "pct exec 109 -- systemctl start bulma-poll-monzo.timer"

Step 1 writes tokens_monzo.json + monzo_credentials.json to ~/Sandpit/hinata-sandpit/data/bulma/. Step 2 copies both to hinata-z2:/mnt/data/hinata/data/bulma/ (CT109 bind mount) and fixes container perms.

Verify

bash
ssh hinata-z2 "pct exec 109 -- tail -15 /root/data/bulma/poll-monzo.log" | sed -E 's/[A-Za-z0-9+\/=_.-]{24,}/[MASKED]/g'

Expect transaction counts, no 401.

HTTP 403: Forbidden on /accounts after a clean token load is NOT a token failure — it is the Monzo SCA gate: the app approval (step 1's push notification) has not been tapped yet. The token is valid and the timer stays active; the poll succeeds on its next fire (≤15 min) once the approval is tapped in the Monzo app. If the push notification was dismissed, open the Monzo app — the approval prompt sits in the feed. Do not re-run reauth for a 403.

After first successful CT109 poll

Delete the Mac-side tokens_monzo.json — CT109's first refresh rotates the chain, so the Mac copy is dead from that moment. Z2 is the sole Monzo writer; the Mac is reauth surface only. monzo_credentials.json (client id/secret) stays — the next reauth needs it.

Related: how-to_truelayer-reauth · credential-model · approved-ip-addresses