Posted by: @derek-m

↑

Posted by: @mjr

↑

Posted by: @majordennisbloodnok

↑

The API already provides the functionality to set up new account

Only for partner organisations, who Octopus should be tracking more closely and have tighter contracts with.

At the moment, risk is low, but it may not always be so (it seems likely DD adjustments and credit balance refund requests could be added in future), so sharing API keys is a bad idea.

To the uninitiated, please explain API keys.

 

By all means.

In order to make data available to third parties, a company may well provide what is known as an API (Application Programming Interface). It's a rather specialised kind of web site where the person doing the querying uses an address ( https://something.com) that relates to the kind of data he or she is trying to access. As such, https://api.octopus.energy/v1/electricity-meter-points/ will give you electricity meter point information whereas https://api.octopus.energy/v1/products/ will give you data about Octopus' products or tariffs. What the query actually answers pack with is in a predefined format meaning the developer's application knows how to separate it all out into different bits of data that can be put into a database or otherwise used.

All this is really useful for exchanging data between systems without human intervention, but is generally important enough to lock down with some security. In the case of Octopus this is done less with a username and password and more with a key; a string of text only you and they know and which identifies you to them. As a result, if I wanted to examine my meter's consumption then I would need my mpan and Octopus account number to get the right data, but I'd also need to tell the API my key so it knows I'm authorised and allowed to query the data for that meter. If I tried to query my neighbour's meter, Octopus would tell me to go travel because my key doesn't allow me to query someone else's meter consumption and quite rightly so.

@mjr my Scottish government grant didn’t require a heat metre or room temp monitors and we get £9k rather than £5k. We do have monitors in the downstairs rooms in the form of the underfloor heating control panels. Upstairs now we just have the Hive control in the main hall. 

My 9 year old son just complained about the heating saying it’s now “too hot”. 😆

just because I’ve  been blasting the radiators to get the glycol through them and make sure they are all working I think. It’s 21 degrees upstairs just now and I do much prefer 19-20 but my wife prefers it hotter. Do heat pumps have a solution for that?!? 😆

think I’ll try 20.5!

Posted by: @majordennisbloodnok

↑

Posted by: @keefsloan

↑

I feel like I've finally been given official permission to now tell my friends about my tracking spreadsheets, constant tweaking of the WC curve, MELcloud, multiple room thermometers and the Octopus Compare app.

Sorry to be something of a curmudgeon but I've just looked at the Octopus Compare app and it worries me. In order to use it, you are asked for your Octopus API key and your account number, both of which are privileged information; Octopus even go so far as to state multiple times on various parts of their web site that you should never share your API key.

If someone offered a great financial app and asked you to "just" provide your bank account details and online banking username/password in order for the app to do its stuff, I like to hope your answer to them would be a "no" with an "off" in it. Nonetheless, that's exactly what the Octopus Compare app is asking for in relation to your Octopus account. I'm happy to admit the damage someone could do right now with that API access is markedly less than if they had access to your bank account but that may not always be so. The API already provides the functionality to set up new accounts, and Octopus won't let you know in advance if and when they add the functionality to query account details. Do you trust the developers of Octopus Compare with (potentially) visibility of your personal account details? Even now, are you happy they could query your meter's consumption history and build up a picture of when you're likely at home or away?

Realistically, the chances you're running a significant risk by using Octopus Compare are probably low. However, that is only a "probably" and even if it's correct then there's no guarantee it will stay a low risk. I would urge you to stop using the app, go to your Octopus account page and regenerate your API key.

 

Agreed - absolutely no way I'd give some random company the API key for my energy provider. Very suspicious!

Posted by: @marvinator80

↑

@mjr my Scottish government grant didn’t require a heat metre or room temp monitors and we get £9k rather than £5k. We do have monitors in the downstairs rooms in the form of the underfloor heating control panels. Upstairs now we just have the Hive control in the main hall. 

My 9 year old son just complained about the heating saying it’s now “too hot”. 😆

just because I’ve  been blasting the radiators to get the glycol through them and make sure they are all working I think. It’s 21 degrees upstairs just now and I do much prefer 19-20 but my wife prefers it hotter. Do heat pumps have a solution for that?!? 😆

think I’ll try 20.5!

You will need to play the 'Son' card, just tell your wife that her 'beloved' is too hot and she won't complain and soon get used to the lower temperature. 😀 

Unfortunately all our 'beloveds' have flown the nest, so now I have to convince my wife the her 'beloved' cat is complaining that it is too hot. 😋 

@derek-m yes, great idea. Her little Prince has been complaining, will try that one!

Posted by: @mjr

↑

Posted by: @majordennisbloodnok

↑

The API already provides the functionality to set up new account

Only for partner organisations, who Octopus should be tracking more closely and have tighter contracts with.

Agreed. My point is that the interface already interacts with account data, and Octopus won’t inform all customers of every slight change in functionality. I don’t say any API access is total access, but the extent it could be exploited if put in the wrong hands is not immediately apparent.

Posted by: @mjr

↑

At the moment, risk is low, but it may not always be so (it seems likely DD adjustments and credit balance refund requests could be added in future), so sharing API keys is a bad idea.

Thank you. I wasn’t aware of those plans but as you say that rather ups the ante if one’s personal key was made public.