Appearance
TrueLayer Full Re-authorisation (NatWest)
Run only when the CT109 TrueLayer poll reports invalid_grant (refresh token dead). Polling lives on CT109 (bulma-finance, 192.168.1.214 — bulma-poll-truelayer.timer, every 15 min, since 2026-06-11); the Mac is reauth surface only. The former Z2-host hinata-poll-truelayer-{morning,evening} units are deleted — do not recreate them.
When to run
- CT109
poll-truelayer.logshowsinvalid_grant full_auth_atin the Z2 token file is >85 days old (proactive rotation)
When NOT to run
- Access-token expiry — the poller refreshes that itself (
refresh oklines are normal) - Bulma report shows £0 with no
invalid_grant— check the CT109 timer first
Steps (Mac)
bash
# 1. Browser OAuth — NatWest login + scope approval
python3 ~/Sandpit/hinata/scripts/reauth-truelayer.py --force --no-itachi-sync
# 2. Push fresh tokens to Z2 (never print values)
scp -q ~/Sandpit/hinata/data/bulma/tokens_truelayer.json hinata-z2:/mnt/data/hinata/data/bulma/
ssh hinata-z2 "chmod o+rw /mnt/data/hinata/data/bulma/tokens_truelayer.json"
# 3. Delete the Mac transit copy — dead once CT109 refreshes
rm ~/Sandpit/hinata/data/bulma/tokens_truelayer.json
# 4. Start the CT109 timer
ssh hinata-z2 "pct exec 109 -- systemctl start bulma-poll-truelayer.timer"--force is required when a broken token file already exists. --no-itachi-sync is required: the script's built-in sync targets the deleted host units and a CT103 path CT109 does not read — CT109 reads only /root/data/bulma (bind mount of /mnt/data/hinata/data/bulma).
truelayer_credentials.json (client id/secret) stays on the Mac at ~/Sandpit/hinata/data/bulma/ — the next reauth needs it.
Verify
bash
ssh hinata-z2 "pct exec 109 -- tail -15 /root/data/bulma/poll-truelayer.log" | sed -E 's/[A-Za-z0-9+\/=_.-]{24,}/[MASKED]/g'Expect refresh ok, transaction totals, credit-accounts.json updated, done — no invalid_grant.
Flags
| Flag | Use |
|---|---|
--force | Skip guard when a broken token file exists |
--no-itachi-sync | Always — post-CT109 the sync targets are gone |
--port 8766 --redirect-uri http://localhost:8766/truelayer/callback | Override callback port if 5001 is in use |
Related: how-to_monzo-reauth · credential-model · approved-ip-addresses