paprika-api.md

Paprika doesn't have their API documented, so this is me reverse-engineering it from an Android device

Live Demo

https://knowing-grain.glitch.me/

Code: https://glitch.com/edit/#!/knowing-grain

Sync

HTTP BASIC auth (emoji shrug), and send a GET to:

• https://www.paprikaapp.com/api/v1/sync/bookmarks/
• https://www.paprikaapp.com/api/v1/sync/groceries/
• https://www.paprikaapp.com/api/v1/sync/categories/
• https://www.paprikaapp.com/api/v1/sync/recipes/
• https://www.paprikaapp.com/api/v1/sync/meals/

Syncing a particular recipe:

• https://www.paprikaapp.com/api/v1/sync/recipe/32a1b284-238b-45e9-9cdd-6ec2c91c8bf2/

API uses BASIC auth; whatever your cloud sync is.

Services do not have CORS headers, so you can't invoke them directly from a browser :(

Saving/Updating a recipe

Send a POST to: https://www.paprikaapp.com/api/v1/sync/recipe/{uid-of-recipe}/

With your recipe in a multipart/form-data, in the data param. Example:

{
  "uid": "ccb42915-5fe9-425d-98da-c1ffbe420159",
  "name": "Test",
  "directions": "Do",
  "servings": "",
  "rating": 0,
  "difficulty": "Easy",
  "ingredients": "Ddddjdjdd\nDjdjdjdd\nDjdhdhdhdndnee ",
  "notes": "",
  "created": "2018-03-26 09:00:02",
  "image_url": null,
  "on_favorites": 0,
  "cook_time": "",
  "prep_time": "",
  "source": "",
  "source_url": "",
  "photo_hash": null,
  "photo": null,
  "nutritional_info": "",
  "scale": null,
  "deleted": false,
  "categories": [
    "cbaca738-cdfb-4150-960d-e1b1ac4cdcc3"
  ],
  "hash": "162e5ad0134e9398b98057aea951304780d0396582238320c28b34a7c35f841e"
}

The data param should be gzip-encoded

"Save Recipe" function

Still figuring this out 🤷‍♂️

Appears to be a POST to https://www.paprikaapp.com/api/v1/sync/recipes/, no auth

Sends a multipart/form-data with three fields:

• url: text/plain (e.g. https://www.kingarthurflour.com/recipes/homemade-whole-grain-pancake-mix-recipe)
• styles: file (filename styles.json) - gzippeed JSON of all the styles on the page?
• html: file (filename recipe.html) - gzipped HTML from the page

Returns a text-plain (actually JSON) with a structure like:

{
    "result": {
        "cook_time": "4 mins. to 8 mins.",
        "difficulty": "",
        "directions": "To make the mix: Grind the oats in a food processor until they're chopped fine, but not a
powder.\n\nPut the flour, oats, and all other dry ingredients into a mixer with a paddle. Mix on slow speed, and
drizzle the vegetable oil into the bowl slowly while the mixer is running.\n\nStore in an airtight container for up
to two weeks at room temperature, or indefinitely in the refrigerator or freezer.\n\nTo make pancakes: Whisk
together 1 cup of mix, 1 cup of buttermilk (or a combination of half plain yogurt and half milk; or 3/4 cup liquid
whey), and 1 large egg. Don't worry if it seems thin at first: the oats will soak up the milk, and the mix will
thicken a bit as it stands.\n\nLet the batter stand for at least 20 minutes before cooking.\n\nHeat a lightly
greased griddle to 350°F (if you've got a griddle with a temperature setting; if not, medium-hot will do).\n\nDrop
the batter onto it in 1/4-cupfuls (a jumbo cookie scoop works well here) to make a 4\" diameter pancake. If you
have English muffin rings, use them; they make a perfectly round, evenly thick pancake.\n\nWhen the edges look dry
and bubbles come to the surface without breaking (after about 2 minutes, if your griddle is the correct
temperature), turn the pancake over to finish cooking on the second side, which will take about 2 minutes.\n\nServe
pancakes immediately, or stack and hold in a warm oven.\n\nYield: a batch using 1 cup of the mix will make about 5
to 8 pancakes, depending on size.",
        "image_url": "",
        "ingredients": "MIX\n4 cups King Arthur White Whole Wheat Flour or Organic White Whole Wheat Flour\n1 cup
King Arthur Unbleached All-Purpose Flour or Organic All-Purpose Flour\n3 1/2 cups old-fashioned or rolled oats\n3
tablespoons sugar\n3 tablespoons baking powder\n1 tablespoon salt\n1 tablespoon baking soda\n1 cup vegetable
oil\nPANCAKES\n1 cup homemade mix\n1 cup buttermilk, nut milk, or a combination of plain yogurt and milk; or 3/4
cup liquid whey\n1 large egg",
        "name": "Homemade Whole-Grain Pancake Mix",
        "notes": "",
        "nutritional_info": "Calories: 110\nTotal Carbohydrates: 12g\nCholesterol: 30mg\nTotal Fat: 5g\nDietary
fiber: 3g\nProtein: 4g\nSaturated fat: 1g\nAmount Per: 1 pancake (56g)\nSodium: 260mg\nSugar: 3g\nTrans Fat: 0g",
        "prep_time": "20 mins.",
        "servings": "10 cups dry mix",
        "total_time": ""
    }
}

You can then convert it to a recipe by making a UID and POSTing it to the URLs above

No, because those are two separate problems. First you have to take a webpage and parse it to extract the recipe data. And then you have to push that to Paprika.

and the problem is that while some websites have structured data to make it easier for recipe tools to understand them, many do not.

and you don’t necessarily want to push that data into your Paprika without checking it first.

but tools do exist. Like this one: https://schollz.com/blog/ingredients/

you’ll just have to take the output of that and pass it to The paprika API. but I would not expect that to work particularly well. These guys do the same thing, but it only works on webpages they have previously prepared it to work with: https://github.com/hhursev/recipe-scrapers

Sure that's 2 separate problems but it's also something that paprika can already do, both in the app and with the bookmarklet. I've sent dozens of recipes to paprika, many from obscure websites, and it's never had any trouble picking out the recipe on its own with minimal to no effort from me. If this is not something that the Paprika API exposes that's fine but the way I read the writeup above it seems as though it is exposed. Ideally one would

1. Grab a webpage's HTML (I took a look at the bookmarklet code which is similar and all it does is grab everything under the pages' <HTML> )
2. Grab a webpage's CSS
3. POST both along with the URL to the paprika /recipes endpoint
4. The API returns structured JSON which could then be sent back to Paprika with a UID or used wherever

Right, it’s just usually requires user intervention to make sure that the website was parsed correctly. The two tools that I sent you should be able to do that.

…

On Mon, Oct 4 2021 at 12:18 PM, Matt Vogel < ***@***.*** > wrote: ***@***.**** commented on this gist. Sure that's 2 separate problems but it's also something that paprika can already do , both in the app and with the bookmarklet ( https://www.paprikaapp.com/bookmarklet/ ). I've sent dozens of recipes to paprika, many from obscure websites, and it's never had any trouble picking out the recipe on its own with minimal to no effort from me. If this is not something that the Paprika API exposes that's fine but the way I read the writeup above it seems as though it is exposed. Ideally one would * Grab a webpage's HTML (I took a look at the bookmarklet code which is similar and all it does is grab everything under the pages' <HTML> ) * Grab a webpage's CSS * POST both along with the URL to the paprika /recipes endpoint * The API returns structured JSON which could then be sent back to Paprika with a UID or used wherever — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub ( https://gist.github.com/7386ec363badfdeaad05a418b9a1f30a#gistcomment-3916243 ) , or unsubscribe ( https://github.com/notifications/unsubscribe-auth/AAFKE7I4V6QBB5DM6OXO7V3UFH4Y5ANCNFSM4JXOM3WA ).

Does anyone use the pantry feature of the app? I was hoping to find an API for it - I want to script Paprika to import pantry data from an app like PantryCheck. It would be so much easier to manage determining what I need to purchase vs what I have on hand

@SlowSpeedChase , read the above post on how to add/update/delete the categories. Modifying the pantry is the same as modifying a category, but you need to POST it to the /api/v2/sync/pantry endpoint, following the pantry schema.

As with categories, you need to generate a unique uid value. The only required fields are uid, ingredient, and aisle. Here's the schema:

[{
"uid": "8978d315-e574-4e81-8ded-4da9b9d42927",
"ingredient": "onion powder",
"aisle": "Spices and Seasonings",
"expiration_date": null,
"has_expiration": false,
"in_stock": false,
"purchase_date": null,
"quantity": null,
"aisle_uid": null
}]

@SlowSpeedChase, were you able to figure out how to script the Paprika pantry data? If so, would you mind sharing your method?

took some digging around but here's how you can add/update grocery list items. i would imagine that pantry items work the same way, but haven't tried it.

i've successfully got this all working inside my custom google home action inside a google cloud webhook "hey google, ask paprika to add 5 eggs to grocery list"

GET grocerylists

var request = require('request');
var options = {
  'method': 'GET',
  'url': 'https://www.paprikaapp.com/api/v2/sync/grocerylists/',
  'headers': {
    'Authorization': 'Bearer YOUR_TOKEN'
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});

{
    "result": [
        {
            "uid": "XXX",
            "name": "Publix",
            "order_flag": 4,
            "is_default": false,
            "reminders_list": "Publix"
        },
        {
            "uid": "XXX",
            "name": "Costco",
            "order_flag": 3,
            "is_default": false,
            "reminders_list": "Costco"
        },
        {
            "uid": "XXX",
            "name": "My Grocery List",
            "order_flag": 0,
            "is_default": true,
            "reminders_list": "Paprika"
        }
    ]
}

GET groceries. checked items are "purchased": true

var request = require('request');
var options = {
  'method': 'GET',
  'url': 'https://www.paprikaapp.com/api/v2/sync/groceries',
  'headers': {
    'Authorization': 'Bearer YOUR_TOKEN'
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});

{
    "result": [
        {
            "uid": "XXXX",
            "recipe_uid": null,
            "name": "popsicles",
            "order_flag": 316,
            "purchased": true,
            "aisle": "Miscellaneous",
            "ingredient": "popsicles",
            "recipe": null,
            "instruction": "",
            "quantity": "10",
            "separate": false,
            "aisle_uid": "XXXX",
            "list_uid": "XXXX"
        }
   ]
}

POST a new grocery list item. must be gzipped array of new grocery list items into the data form. can add as many as you like. specifying an existing uid will update it

const zlib = require('zlib');
const fs = require('fs');
var axios = require('axios');
var FormData = require('form-data');
const os = require('os');

var jsonData = [{
    uid: 'XXXX', // create a new guid for each new item
    name: 'popsicles',
    ingredient: 'popsicles',
    quantity: '10',
    recipe_uid: null,
    order_flag: 316,
    purchased: false,
    aisle: 'Miscellaneous',
    recipe: null,
    instruction: '',
    separate: false,
    aisle_uid: 'XXXX',
    list_uid: 'XXXX'
}];

var reqData = JSON.stringify(jsonData);
var buffer = zlib.gzipSync(Buffer.from(reqData.toString("utf-8")));
const tmpFile = os.tmpdir() + "/tmp.json.gz";
fs.writeFileSync(tmpFile, buffer);

var formData = new FormData();
formData.append('data', fs.createReadStream(tmpFile));
const headers = Object.assign({
    'Authorization': 'Bearer YOUR_TOKEN'
}, formData.getHeaders());

var config = {
  method: 'post',
  url: 'https://www.paprikaapp.com/api/v2/sync/groceries',
  headers: headers,
  data: formData
};

var result = false;
let response = await axios(config);
if (response.status == 200) {
  console.log(response.data); // { result: true } if the request is successful
  result = response.data.result !== undefined && response.data.result == true;
} else {
  console.error(response);
}

I was hoping I could use the API to randomly populate the meal plan with one meal per day, one week at a time. Does anyone have an example of adding recipes to the meal plan using the API?

is it possible to save a new recipe using the v1 sync/recipe api?

I'm having a little trouble following how to save a new recipe through the POST.

@mattdsteele, thank you,

@kgmorales It's been a while since I've tried saving data, but yes, you should be able to save a new recipe. You'll have to generate a new UUID yourself. See https://gist.github.com/mattdsteele/7386ec363badfdeaad05a418b9a1f30a?permalink_comment_id=3916047#gistcomment-3916047 for a link to some example Python code.

I'm still having trouble uploading a picture to a recipe, If I post to /api/v2/sync/photo/{a new uud} I get:
{'error': {'code': 0, 'message': 'Photo not found during photo upload.'}}

And if I post to /api/v2/sync/recipe/{recipe.uid} with the photo_upload argument I get
{'error': {'code': 0, 'message': 'Invalid photo filename.'}}

How can photos be uploaded to a recipe?

I'm still having trouble uploading a picture to a recipe, If I post to /api/v2/sync/photo/{a new uud} I get: {'error': {'code': 0, 'message': 'Photo not found during photo upload.'}}

And if I post to /api/v2/sync/recipe/{recipe.uid} with the photo_upload argument I get {'error': {'code': 0, 'message': 'Invalid photo filename.'}}

How can photos be uploaded to a recipe?

Hello,
Here's the code I use for the upload (my photos are local, so I can't use requests to get the image content)

@dataclass
class RecipePhoto():
	uid: str = field(default_factory=lambda: str(uuid.uuid4()).upper())
	filename: str = ""
	name: str = ""
	order_flag: int = 1
	recipe_uid: str = ""
	hash: str = field(
		default_factory=lambda: hashlib.sha256(
			str(uuid.uuid4()).encode("utf-8")
		).hexdigest()
	)
	photo_url: Optional[str] = None
	deleted: bool = False

	def _request(self, method, path, token_r, authenticated=True, **kwargs):
		if authenticated:
			kwargs.setdefault("headers", {})[
				"Authorization"
			] = f"Bearer {token_r}"
		result = requests.request(method, path, **kwargs)
		result.raise_for_status()

		if "error" in result.json():
			raise RequestError()

		return result

	def as_gzip(self) -> bytes:
		return gzip.compress(self.as_json().encode("utf-8"))

	def as_json(self):
		return json.dumps(self.as_dict())

	def as_dict(self):
		return asdict(self)

	def calculate_hash(self) -> str:
		fields = self.as_dict()
		fields.pop("hash", None)

		return hashlib.sha256(
			json.dumps(fields, sort_keys=True).encode("utf-8")
		).hexdigest()

	def update_hash(self):
		self.hash = self.calculate_hash()

	def upload_photo(self, token):
		self.update_hash()
		files = {'data': self.as_gzip()}
		photo_data = self.get_photo_data()
		if self.photo_url :
			files['photo_upload'] = (self.filename, open(self.photo_url, 'rb'))
		self._request(
			"post",
			SYNC_PHOTO_URL(self.uid),
			token,
			files=files,
		)
		return self.uid

Then the call to the upload. RecipePhoto is a class with API fields for photos.

		Photo = RecipePhoto(
			filename = <the name of your photo file>,
			order_flag = 0, (Not sure how this is used)
			name = <the name of your photo>,
			recipe_uid = <the UID of the RECIPE you want to link the photo to>,
			photo_url = <LOCAL PATH TO THE PHOTO>,
			)

		Photo_UId = Photo.upload_photo(<your auth token>)

With this, I add the photo right after I created my recipe, and it shows when I display the photos of the recipe. It does not show in the recipe list, as the thumbnail is not set. I'm struggling on that part.

EDIT:
For the thumbnail, once you have uploaded your recipe and your photo, update the Recipe with photo_large (I use a description of the photo) and photo_url to the local url to your image

	Recipe.photo_large = <description>
	Recipe.photo_url = <path to the file>

Then update the recipe and attach the photo with a hah:

	def upload_recipe(self, token):

		files: Dict = {}

		if self.photo_url :
			self.photo = generate_uuid() + "." + self.photo_url.split(".")[-1]
			self.photo_hash = self.calculate_hash()
			files['photo_upload'] = (self.photo_url.split("/")[-1], open(self.photo_url, 'rb'))

		print(self)

		self.update_hash()

		files['data'] = self.as_gzip()


		self._request(
			"post",
			SYNC_RECIPE_URL(self.uid),
			token,
			files=files,
		)

		return self.uid


	Recipe_Definition["Recipe_Paprika_Uid"] = Recipe.upload_recipe(PAPRIKA_TOKEN)

For anyone struggling w login, here is an example curl.

curl -X POST https://paprikaapp.com/api/v2/account/login -d 'email=ENTER_EMAIL&password=ENTER_PASSWORD

You'll get an auth token in response. You can use that for future requests. Not sure on TTL.

Unfortunately, think that Paprika is catching onto this and doing some sort of IP bans/rate limiting now. I'm calling these endpoints from a Next.js server, nothing crazy, just getting an auth token + using it to grab recipes/categories, and once I make a request, about a minute later all requests to paprikaapp.com from my IP get blocked, and then I am able to reach the domain again after a couple minutes or so.

Unfortunately, think that Paprika is catching onto this and doing some sort of IP bans/rate limiting now. I'm calling these endpoints from a Next.js server, nothing crazy, just getting an auth token + using it to grab recipes/categories, and once I make a request, about a minute later all requests to paprikaapp.com from my IP get blocked, and then I am able to reach the domain again after a couple minutes or so.

From the same IP? Is the Token Invalidated?

Unfortunately, think that Paprika is catching onto this and doing some sort of IP bans/rate limiting now. I'm calling these endpoints from a Next.js server, nothing crazy, just getting an auth token + using it to grab recipes/categories, and once I make a request, about a minute later all requests to paprikaapp.com from my IP get blocked, and then I am able to reach the domain again after a couple minutes or so.

From the same IP? Is the Token Invalidated?

Don’t think it has anything to do with the token, because then I would be getting a 4xx of some sort. I just get completely blocked from the paprikaapp.com domain from my IP, I.e. if I try even going to paprikaapp.com on my laptop or phone from my personal network after firing a bunch of requests I get a connection time out (no 4xx or anything)

My solution for this currently is that I just cache any data that I am fetching from the API in S3 and if I get rate limited I pull the data (recipe JSON, images) from there as im just displaying the recipes on my site so I don’t need the latest data every time

Unfortunately, think that Paprika is catching onto this and doing some sort of IP bans/rate limiting now. I'm calling these endpoints from a Next.js server, nothing crazy, just getting an auth token + using it to grab recipes/categories, and once I make a request, about a minute later all requests to paprikaapp.com from my IP get blocked, and then I am able to reach the domain again after a couple minutes or so.

I'm not seeing a similar limitation here. I uploaded hundreds of recipes in batches this week-end without being blocked. Now my rate is nothing great, as I fetch information locally using py, then upload. How many connections / second do you reach when being blocked ?

@anthonydibi how often and how much were you using the API? You say you're pulling and displaying recipes on your site was that just pulling from the API when building your website or on page load/visit? Were you pulling your whole library or individual recipes & images one by one?

@anthonydibi how often and how much were you using the API? You say you're pulling and displaying recipes on your site was that just pulling from the API when building your website or on page load/visit? Were you pulling your whole library or individual recipes & images one by one?

I saw this both while building the site (i.e. hot reloading and calling the API a ton, and when the site is deployed. for the recipe page on my site I pull my entire library every time (to display images, recipe names, etc. all on one page) which is about 40 recipes so ~43? api calls per page load to get recipes + categories + individual recipes.

How many connections / second do you reach when being blocked ?

When developing locally, I would say I make about ~300 connections per minute. While deployed, my site only pulls my recipes every hour since I use static generation and only regenerate my recipes page every hour which is when the recipes will be pulled so ~40 per hour. Even when I was deployed, kept getting rate limited after a single regeneration. I put in some logging to verify that I wasn't making extra calls.

@anthonydibi Well there you go, that's pretty abusive of the API and I guarantee why you're being blocked. For context the official paprika app makes 2-4 API calls when loading and browsing with less than 1mb of data and 500 recipes.
You're doing around 150x the calls on build and then ~20x every hour continuously as well as a massive amount on page load. A single person browsing your site could visit the recipes page 3-4 a visit making well over 100 calls to the API, no clue how many visitors you have.

If paprika has started doing IP bans and rate limiting it's exactly because of abuse like this.

Regenerating every hour is beyond excessive, how many recipe changes are you making?? Even one a day feels like a lot. Do some reverse engineering of how the paprika app synced, haven't looked in a while but off the top of my head they do a small call to check if there are any changes in the db and then selectively pull in those changes.
That being said if you must reload that often you really should rely on your own cached data like how the official app does

@anthonydibi Well there you go, that's pretty abusive of the API and I guarantee why you're being blocked. For context the official paprika app makes 2-4 API calls when loading and browsing with less than 1mb of data and 500 recipes. You're doing around 150x the calls on build and then ~20x every hour continuously as well as a massive amount on page load. A single person browsing your site could visit the recipes page 3-4 a visit making well over 100 calls to the API, no clue how many visitors you have.

If paprika has started doing IP bans and rate limiting it's exactly because of abuse like this.

Regenerating every hour is beyond excessive, how many recipe changes are you making?? Even one a day feels like a lot. Do some reverse engineering of how the paprika app synced, haven't looked in a while but off the top of my head they do a small call to check if there are any changes in the db and then selectively pull in those changes. That being said if you must reload that often you really should rely on your own cached data like the how the official app does

I don't have a setup for intercepting network calls from my iOS device unfortunately otherwise I would be curious to see how the fetching is setup on the iOS app as far as determining exactly which recipes have changed. I don't disagree that fetching on every page generation is excessive and at some point I'll probably leverage the /sync/status endpoint to store a counter in S3 and use that to determine whether any recipe changes have been made but right now I'm just playing around.

@anthonydibi Definitely don't want to discourage playing around, hacking together stuff around the web is super important and I've definitely considered integrating paprika into my website as well. All I'm saying is mindful of the services you're using. An IP ban from a small app like paprika (with free sync which is rare in 2024!) isn't just some artificial machine barrier it's another person trying to tell you something about your usage of their system.

@anthonydibi Definitely don't want to discourage playing around, hacking together stuff around the web is super important and I've definitely considered integrating paprika into my website as well. All I'm saying is mindful of the services you're using. An IP ban from a small app like paprika (with free sync which is rare in 2024!) isn't just some artificial machine barrier it's another person trying to tell you something about your usage of their system.

Totally fair, I think it's good that they have a rate limit set up so that stupid web developers like me can't accidentally bring down the entire service 🤣 but yeah my goal is to eventually mimic the call patterns of the app so that ideally the recipes are always up-to-date on my site but only pull new data when needed

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

Nope I would just not be able to connect to the server. I’m seeing the same unrecognized client error now so they must be doing some sort of user agent check.

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

Nope I would just not be able to connect to the server. I’m seeing the same unrecognized client error now so they must be doing some sort of user agent check.

I now am getting the same reply. I have a script that would check for updates in a DB and upload to Paprika. I ran it once tonight, and it was successful. I ran it a second time, and got the "Unrecognized client" error.
However, my postman sessions (postman.com) were still able to download recipes, with V1 or V2. I copied the V2 token I use in Postman to my script, instead of requesting a token by accessing V2/account/login, and the script runs fine.
So there seems to be something different in the way that the API handles V2 authentication and returning a token (I'm using python requests, but adding User-Agent didn't make any difference).
I'll dig into this in the following weeks.

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

Nope I would just not be able to connect to the server. I’m seeing the same unrecognized client error now so they must be doing some sort of user agent check.

I now am getting the same reply. I have a script that would check for updates in a DB and upload to Paprika. I ran it once tonight, and it was successful. I ran it a second time, and got the "Unrecognized client" error. However, my postman sessions (postman.com) were still able to download recipes, with V1 or V2. I copied the V2 token I use in Postman to my script, instead of requesting a token by accessing V2/account/login, and the script runs fine. So there seems to be something different in the way that the API handles V2 authentication and returning a token (I'm using python requests, but adding User-Agent didn't make any difference). I'll dig into this in the following weeks.

Gotcha so the auth endpoint must be gated by some sort of device check but authenticated endpoints do not have the same device check. That makes sense, there must be some device registration process then. I need to set up a process for intercepting requests from my iOS device as I’m itching to figure out what the new system is

Whatever changed the last (android) app update was in July so the app must have already been complying and now the API is just more strict

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

Nope I would just not be able to connect to the server. I’m seeing the same unrecognized client error now so they must be doing some sort of user agent check.

I now am getting the same reply. I have a script that would check for updates in a DB and upload to Paprika. I ran it once tonight, and it was successful. I ran it a second time, and got the "Unrecognized client" error. However, my postman sessions (postman.com) were still able to download recipes, with V1 or V2. I copied the V2 token I use in Postman to my script, instead of requesting a token by accessing V2/account/login, and the script runs fine. So there seems to be something different in the way that the API handles V2 authentication and returning a token (I'm using python requests, but adding User-Agent didn't make any difference). I'll dig into this in the following weeks.

Gotcha so the auth endpoint must be gated by some sort of device check but authenticated endpoints do not have the same device check. That makes sense, there must be some device registration process then. I need to set up a process for intercepting requests from my iOS device as I’m itching to figure out what the new system is

If you want to intercept requests, I use Charles Proxy (https://www.charlesproxy.com - 30 days free trial).
I understand why my script worked once, then not anymore. It is based on V1 of Paprika API, except for one function, that fetches / creates categories. That only works with V2. So as I didn't need to create a category, my first run worked. The second attempt required category updates, and failed.
With this in mind, either I comment out the category function calls and stay with V1, or I use the existing V2 token as static, not requesting a new one when my script runs.
Hope this helps on the "Unrecognized client". It won't help on the rate limit.

@anthonydibi Did you get any errors when you were rate limited? I've just tried to authenticate with the curl example above and I'm now getting an 'Unrecognized client' error back. Wasn't doing this a couple of days ago for me so maybe they've now implemented a device check or something.

Nope I would just not be able to connect to the server. I’m seeing the same unrecognized client error now so they must be doing some sort of user agent check.

I now am getting the same reply. I have a script that would check for updates in a DB and upload to Paprika. I ran it once tonight, and it was successful. I ran it a second time, and got the "Unrecognized client" error. However, my postman sessions (postman.com) were still able to download recipes, with V1 or V2. I copied the V2 token I use in Postman to my script, instead of requesting a token by accessing V2/account/login, and the script runs fine. So there seems to be something different in the way that the API handles V2 authentication and returning a token (I'm using python requests, but adding User-Agent didn't make any difference). I'll dig into this in the following weeks.

Gotcha so the auth endpoint must be gated by some sort of device check but authenticated endpoints do not have the same device check. That makes sense, there must be some device registration process then. I need to set up a process for intercepting requests from my iOS device as I’m itching to figure out what the new system is

If you want to intercept requests, I use Charles Proxy (https://www.charlesproxy.com - 30 days free trial). I understand why my script worked once, then not anymore. It is based on V1 of Paprika API, except for one function, that fetches / creates categories. That only works with V2. So as I didn't need to create a category, my first run worked. The second attempt required category updates, and failed. With this in mind, either I comment out the category function calls and stay with V1, or I use the existing V2 token as static, not requesting a new one when my script runs. Hope this helps on the "Unrecognized client". It won't help on the rate limit.

Have you tried just using a v1 token for v2 API calls? That worked for me (but I don't use any v2-specific endpoints so idk if those will require a v2 token, v2 endpoints may just redirect to v1)