Invalid Authentication when trying to add Blink integration in Home Assistant

[silverStSt]

Describe the bug
The authentication process works correctly step by step; it asks for the 2FA SMS code, which arrives on my phone correctly, but then it fails to verify the code. It seems that the session cookies are lost between authentication and 2FA verification.

To Reproduce
Steps to reproduce the behavior:

1. Install Blink complement
2. Login Blink account
3. Use sms code to 2fa

Expected behavior
A clear and concise description of what you expected to happen.

Home Assistant version (if applicable):
HA 2026.4.1 Core

blinkpy version (not needed if filling out Home Assistant version):
0.25.2

Log Output/Additional Information
It seems that session cookies are being lost when sending the 2FA code. I'm using Blink in the EU and my Blink account isn't linked to my Amazon account. I've tried deleting the integration and reinstalling it, restarting in between. This has been happening since at least October 2025, or even earlier. I've tried updating to different versions of Home Assistant. I use both the computer and the mobile app.

I've included messages in the blinkpy code, in auth.py, to analyze the authentication request and response, and this is the result.

2026-04-12 10:56:58.896 DEBUG (MainThread) [blinkpy.auth] Attempting OAuth v2 login flow
2026-04-12 10:57:00.258 INFO (MainThread) [blinkpy.auth] Two-factor authentication required.
2026-04-12 10:57:10.220 WARNING (MainThread) [blinkpy.api] ==== BLINK REQUEST ====
2026-04-12 10:57:10.221 WARNING (MainThread) [blinkpy.api] URL: 'https://api.oauth.blink.com/oauth/v2/2fa/verify'
2026-04-12 10:57:10.222 WARNING (MainThread) [blinkpy.api] HEADERS: {'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1', 'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'https://api.oauth.blink.com', 'Referer': 'https://api.oauth.blink.com/oauth/v2/signin'}
2026-04-12 10:57:10.222 WARNING (MainThread) [blinkpy.api] DATA (raw): {'2fa_code': '******', 'csrf-token': 'Kyyu+ksJS5XilceAZPXOg*************************************************MpPNw1+Dy0U5wFahpWEBrw==', 'remember_me': 'false'}
2026-04-12 10:57:10.223 WARNING (MainThread) [blinkpy.api] DATA (encoded): '2fa_code=******&csrf-token=Kyyu%2BksJS5XilceAZPXOg**********************************MpPNw1%2BDy0U5wFahpWEBrw%3D%3D&remember_me=false'
2026-04-12 10:57:10.374 WARNING (MainThread) [blinkpy.api] ==== BLINK RESPONSE ====
2026-04-12 10:57:10.375 WARNING (MainThread) [blinkpy.api] STATUS: 400
2026-04-12 10:57:10.376 WARNING (MainThread) [blinkpy.api] BODY: '{"error":"bad_request","error_cause":"empty_cookies","error_description":"Empty Cookies."}'
2026-04-12 10:57:10.376 ERROR (MainThread) [blinkpy.auth] 2FA verification failed
2026-04-12 10:57:10.377 ERROR (MainThread) [blinkpy.blinkpy] OAuth v2 2FA completion failed.
2026-04-12 10:57:10.396 DEBUG (MainThread) [blinkpy.auth] Attempting OAuth v2 login flow
2026-04-12 10:57:11.550 INFO (MainThread) [blinkpy.auth] Two-factor authentication required.
2026-04-12 10:57:11.555 WARNING (MainThread) [homeassistant.config_entries] Config entry 'blink' for blink integration could not authenticate: Required Blink re-authentication

Modify code por log:

async def oauth_verify_2fa(auth, csrf_token, twofa_code):
"""
Step 3b: Verify 2FA code.

Args:
auth: Auth instance
csrf_token: CSRF token
twofa_code: 2FA code from user

Returns:
bool: True if verification successful

"""
headers = {
"User-Agent": OAUTH_USER_AGENT,
"Accept": "/",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "https://api.oauth.blink.com",
"Referer": OAUTH_SIGNIN_URL,
}

data = {
"2fa_code": twofa_code,
"csrf-token": csrf_token,
"remember_me": "false",
}

_LOGGER.warning("==== BLINK REQUEST ====")
_LOGGER.warning("URL: %r", OAUTH_2FA_VERIFY_URL)
_LOGGER.warning("HEADERS: %r", headers)
_LOGGER.warning("DATA (raw): %r", data)
_LOGGER.warning("DATA (encoded): %r", urlencode(data))

response = await auth.session.post(OAUTH_2FA_VERIFY_URL, headers=headers, data=data)
text = await response.text()
_LOGGER.warning("==== BLINK RESPONSE ====")
_LOGGER.warning("STATUS: %r", response.status)

[silverStSt]

I've managed to get the integration working. It's a problem with how cookies are managed in Home Assistant; they get lost during authentication and two-factor authentication. To prevent this, I've implemented a workaround. When I authenticate, I manually store the cookies. In async def oauth_signin(auth, email, password, csrf_token) I added:

if response.status == 412:
    _LOGGER.warning("CRITICAL CAPTURE: Extracting cookies from the session JAR")
    auth._manual_cookie_store = {
        cookie.key: cookie.value
        for cookie in auth.session.cookie_jar
    }
    _LOGGER.warning("KNAPSACK CREATED: %r", list(auth._manual_cookie_store.keys()))
    return "2FA_REQUIRED"

Then I manually build them in async: def oauth verify 2fa(auth, csrf token, twofa_code):

manual_cookies = {}
if hasattr(auth, '_manual_cookie_store'):
    manual_cookies = auth._manual_cookie_store
    _LOGGER.warning("INJECTING INTO 2FA: %d cookies", len(manual_cookies))
    _LOGGER.warning("Synchronizing the session CookieJar with the backpack...")
    auth.session.cookie_jar.update_cookies(auth._manual_cookie_store)
    # NOTE: If the Jar is stubborn and deletes them due to the 'Secure' flag,
    # we force insecure mode once again right here
    auth.session.cookie_jar._unsafe = True

And I force them to be used in the request:
response = await auth.session.post(OAUTH_2FA_VERIFY_URL, headers=headers, data=data, cookies=manual_cookies)

Actually, we should do some more testing to see if this alone is enough:

if hasattr(auth, '_manual_cookie_store'):
    auth.session.cookie_jar.update_cookies(auth._manual_cookie_store)
    # NOTE: If the JAR file is stubborn and deletes them due to the 'Secure' flag,
    # we force insecure mode once more right here
    auth.session.cookie_jar._unsafe = True

This is sufficient to avoid having to manually set the cookies when sending the 2FA SMS code.

[FxNion]

Hi,

I gave ma 50p and investigated this problem. I submitted two pull requests to both projects

Here is a gist for whose that can't wait validation flow from projects

https://gist.github.com/FxNion/1a86f8b23344869ede689f5266dd8659

PR have been opened on both projects.

Hope this helps, as it helped me to solve this 2 years old issue.

[knightwebdevelopmentservices-ops]

Fix available

I've opened PR #1229 which fixes the two bugs preventing OAuth v2 login with 2FA:

1. Cookie persistence — aiohttp's default CookieJar drops cookies across the OAuth flow, causing the empty_cookies error. Fixed by using CookieJar(unsafe=True).

2. HTTP 202 status — Some Blink regions return HTTP 202 (not 412) when 2FA is required. The current code only checks for 412.

I tested the fix end-to-end with a real Blink account (Australia region, SMS 2FA) — full auth flow works including 2FA verification and token exchange. All 18 OAuth tests pass.

Would appreciate a review when you get a chance!

[FxNion]

@knightwebdevelopmentservices-ops i already opened PRs for the solution i found and gave to the community. Not so fair to try to take the already done job for your account 😄

[knightwebdevelopmentservices-ops]

Ha! Hey @FxNion my Hermes agent is instructed to raise PRs for any issues it fixes. Whoops

[billettg]

Any fix for this soon considering anyone using Blink is now inoperable with HA??