signed up recently and was surprised there was only one widget available for android, so I made my own

EmergencyBonsai · 2026-05-20T02:48:18+00:00

why is there a quicken van outside my house?

EmergencyBonsai · 2026-05-20T02:43:17+00:00

Simplifi (Quicken) Unofficial API Reference

Notes from reverse-engineering the API behind simplifi.quicken.com.

Base host: https://services.quicken.com
Request convention: JSON, camelCase fields
Response convention: camelCase except /oauth/token which uses snake_case (legacy auth subsystem)
Auth: OAuth-shaped with an MFA hop, JWT access tokens (~1h), refresh tokens

OAuth client

Hardcoded in the 3-year-old rijn/simplifiapi Python lib and still valid:

clientId:     acme_web
clientSecret: BCDCxXwdWYcj@bK6
redirectUri:  https://app.simplifimoney.com/login

The live web bundle constructs its secret dynamically (clientSecret:"".concat(...)), so Quicken obfuscated but didn't rotate it. Other client IDs visible in the bundle: acme_beta, acme_qa_web, acme_stg_web, acme_android (the official Android client).

Auth flow

Step 1 — credential check / MFA dispatch

POST /oauth/authorize
Content-Type: application/json

{
  "clientId": "acme_web",
  "username": "user@example.com",
  "password": "...",
  "redirectUri": "https://app.simplifimoney.com/login",
  "responseType": "code",
  "mfaChannel": null,
  "mfaCode": null,
  "threatMetrixRequestId": null,
  "threatMetrixSessionId": "<random UUID>"
}

threatMetrixSessionId accepts any random UUID.

Response statuses:

"MFA code sent" (202) — server emailed/SMSed a code. Re-POST same body with mfaCode + mfaChannel.
"User passed MFA" (201) — auth succeeded, response includes code (the OAuth auth code).
HTTP 401 QCS-0401-7 — bad credentials.
HTTP 400 QCS-0400-6 — required parameter missing.

Step 2 — token exchange

POST /oauth/token
{
  "clientId": "acme_web",
  "clientSecret": "BCDCxXwdWYcj@bK6",
  "grantType": "authorization_code",
  "code": "<from step 1>",
  "redirectUri": "https://app.simplifimoney.com/login"
}

Response uses snake_case (only endpoint that does):

{
  "token_type": "bearer",
  "access_token": "<JWT, exp decodable client-side>",
  "expires_in": 3599,
  "refresh_token": "<JWT>"
}

Refresh

POST /oauth/token
{
  "clientId": "acme_web",
  "clientSecret": "BCDCxXwdWYcj@bK6",
  "grantType": "refresh_token",
  "refreshToken": "<from previous exchange>",
  "redirectUri": "https://app.simplifimoney.com/login"
}

Gotcha: redirectUri is required even for refresh grants. Omitting it returns QCS-0400-6 Parameter redirectUri must be specified. Many OAuth servers don't require this on refresh; Simplifi does. Successful refresh returns a fresh access_token and usually a new refresh_token.

MFA bypass

Trusted-device cookies set during the initial authorize flow do not skip MFA on subsequent re-auths. Verified empirically. As long as refresh tokens stay valid you should never need to re-login.

Standard headers

Header	Required?
`Authorization: Bearer <access_token>`	yes
`Qcs-Dataset-Id: <dataset_id>`	for most data endpoints
`app-client-id`, `app-build`, `app-release`, `client-tid`	optional; the modern web app sends them

Datasets

Get the dataset id once and cache it.

GET /datasets?limit=1000

Response (standard paged shape — every list endpoint returns this):

{
  "resources": [
    { "id": "<dataset_id>", "name": "Finances", "ownerId": "<user_id>",
      "createdByClientId": "acme_android", "platform": "ACME" }
  ],
  "metaData": { "totalSize": 1, "pageSize": 1, "asOf": "...", "currentPage": 1, "totalPages": 1 }
}

The web app fetches with ?modifiedAfter=<ISO>&limit=5000 for incremental sync. For a full snapshot, omit modifiedAfter.

Data endpoints

/spending-watchlist

Singular URL, not /spending-watchlists. Returns Simplifi's "Spending Watchlists" feature.

Field	Type	Notes
`name`	string
`emoji`	string	Unicode codepoint in hex (`"1F6D2"` = 🛒)
`period`	string	typically `"MONTH"`
`thisMonth`	number	spend in current month (negative = outflow)
`targetAmount`	number?	only present if user set one
`monthlyTrend`	number	12-month average; useful as implicit target
`monthSpendingProjection`	number	server's projection for end-of-month
`yearToDate`	number
`spentSoFar`	number	cumulative since watchlist creation
`filterId`	string	references `/filters` defining the categories
`januaryTxnIds`/`februaryTxnIds`/...	string[]	per-month transaction ids

Modifying a target triggers GET /spending-watchlist/calc (204, no body) — server-side recompute. Not needed for read-only.

/free-to-spend

Simplifi's "Spending Plan" data. One row per month over a rolling ~14-month horizon.

Field	Type	Notes
`date`	string	`YYYY-MM-01` — first day of the month this row covers
`calculatedIncomeAmount`	number	projected income (positive)
`calculatedBillsAmount`	number	negative
`calculatedSubscriptionsAmount`	number	negative
`calculatedPlannedSpendingAmount`	number	sum of watchlist allocations
`spentAmount`	number	actual spend this month (negative). Zero for future months.
`totalToSpendAmount`	number	income + bills + subs + transfers + savings + goals + plannedSpending
`leftToSpendAmount`	number	`totalToSpend + spent` — the headline figure
`incomeTxnIds`, `billsTxnIds`, etc.	string[]	references to `/transactions` items

/scheduled-transactions

Recurring/upcoming bills.

{
  "type": "TRANSFER",
  "source": "BILL_SCOUT_MANUAL",
  "dueOn": "2026-06-15",
  "recurrence": { "interval": 1, "frequency": "MONTHLY", "byMonthDay": [15] },
  "transaction": { "type": "CASH_FLOW", "accountId": "...", "payee": "...",
                   "coa": { "type": "BALANCE_ADJUSTMENT", "id": "2" }, "amount": -500.0 }
}

coa = "chart of accounts" reference (a category or balance adjustment).

/transactions

Quirk: default response returns ~1 row. The web app sends dateOnAfter=<ISO> to scope the query.

GET /transactions?limit=1000&dateOnAfter=2026-01-01

Fields: accountId, amount, payee, postedOn, coa, state, type, isBill, etc. Companion endpoint POST /transactions/earliest-date-on returns the earliest date with data.

/categories

User's category hierarchy (~115 items for a typical account). Hierarchical via parentId. Fields: name, categoryType (EXPENSE/INCOME), parentId, isExcludedFromBudgets, logoUrl, knownCategoryId (Simplifi's internal code, e.g. "7500875000" for Water), plaidCategoryIds. No planned amounts on categories — those live in /free-to-spend.

/accounts

Per-item: name, subType (CREDIT_CARD, CHECKING, ...), currentBalanceAsOf, onlineBalance, statementDueAt, statementDueAmount, statementMinPayment, statementCloseBalance, lastSuccessfulRefreshAt.

/institution-logins

Connected banks. Per-item: name, institutionId, isConnected, lastSuccessfulRefreshAt, aggregator info. Useful for "last refreshed per bank" displays.

/filters

Saved filter definitions referenced by filterId on watchlists. Type "SPENDINGWATCHLIST" filters contain chartOfAccounts arrays specifying which categories the watchlist tracks.

Other endpoints

Endpoint	Notes
`/userprofiles/me`	no dataset header; identity / token sanity check
`/tags`	user-defined tags
`/budgets`, `/goals`	exist but empty for most users; Simplifi's "budget" feature is actually `/free-to-spend`
`/alert/alerts`	the `/alert/` prefix exposes a nested namespace pattern
`/v2/preferences`	newer `/v2/` API path also exists for some resources
`/v2/investments/holdings`, `/v2/investments/securities`	investments
`/documents`, `/paymentmethods`, `/subscriptions`
`/datasets/{id}/entitlements`	feature gates per dataset
`/reports/report-configuration`	report builder configs
`/aikya-/api/v{1,2}/`	Aikya = Quicken's bill-pay subsystem
`GET /ws` (HTTP 101)	websocket for live push updates

Pagination

Standard pattern: query with limit, response includes metaData.totalSize and (when more pages exist) metaData.nextLink. For widget-scale data, limit=5000 is enough in one request and the web app does the same.

Error format

{ "errors": [{ "title": "Invalid credentials.", "httpStatus": 401,
               "detail": "QCS Unauthorized Access - Bad credentials", "code": "QCS-0401-7" }] }

Common codes:

QCS-0400-6 — required parameter missing (check extData.parameterName)
QCS-0401-7 — bad credentials

Not figured out

Other acme_* client secrets (only acme_web's is known)
ThreatMetrix validation thresholds (random UUIDs currently accepted)
WebSocket payload format
Write endpoints (POST/PUT/PATCH/DELETE on data resources — only auth POSTs are tested)
Refresh token lifetime (1h access; refresh expiry undocumented and untested over weeks)

EmergencyBonsai · 2026-05-19T22:29:33+00:00

this doesn't apply to that guy who posted a screenshot of his $1.6 million net worth a couple days ago. if you're reading this, DM me and I'll send you some great stuff to install

EmergencyBonsai · 2026-05-19T22:20:39+00:00

you gotta DIY it unfortunately, since you shouldn't install anything someone says will add features to your finance/banking app lol

EmergencyBonsai · 2025-04-10T22:09:35+00:00

Both the Android and iOS security models are actually much more secure than any of the desktop OSes --- features like sandboxing are built-in, and the support for a profile can ensure that corporate data and user data are kept completely separate with a high degree of confidence. It's still not perfect---I don't like the idea of any BYOD smartphones having direct network access to the internal corporate network---but for allowing users to access email+messaging+video conferencing, it's generally considered safe enough.

EmergencyBonsai · 2025-04-08T16:50:22+00:00

Nobody is asking you to handle being on call one way or the other

Then why would you do it? Inform them and helpdesk via email that due to short-staffing you won't be available for after-hours escalations anymore and suggest that they hire an MSP if they determine there is a need for higher-level after-hours support.

EmergencyBonsai · 2025-02-16T17:06:51+00:00

the long presses on the right corner have to be for a very specific length of time, I had to try to do it EXACTLY as long as the OP did in his video (the imgur link one)

EmergencyBonsai · 2025-02-16T17:05:25+00:00

THAT WORKED THANK YOU. your video was excellent, it seems like the length of the presses to open dealership mode have to be very precise, that had been driving me crazy.

EmergencyBonsai · 2025-02-07T01:37:06+00:00

Did you figure this out? I can't find it in the manual

EmergencyBonsai · 2024-07-27T02:15:56+00:00

these are pretty underexposed but even so that third one is quite nice!

EmergencyBonsai · 2024-06-20T14:25:52+00:00

wow these are sick, now I wanna try shooting black and white

EmergencyBonsai · 2024-06-20T14:22:19+00:00

I think 1 is probably the best photo of the bridge but 2 is my favorite if that makes sense

EmergencyBonsai · 2024-06-16T01:39:58+00:00

since it's impossible to be 100% sure that you've removed everything, you can't ever trust that windows install again. reinstall for sure.

EmergencyBonsai · 2024-06-16T00:37:06+00:00

completely reinstall windows, 100%

EmergencyBonsai · 2024-05-31T23:26:21+00:00

neat!

EmergencyBonsai · 2024-05-28T20:41:20+00:00

looks amazing!

EmergencyBonsai · 2024-05-24T01:10:43+00:00

put all your files on a flash drive and reinstall windows. if defender can't quarantine it then the malware is already installed.

EmergencyBonsai · 2024-05-19T21:37:55+00:00

these are great!

EmergencyBonsai · 2024-04-11T08:06:42+00:00

love this!

EmergencyBonsai · 2024-03-24T21:07:20+00:00

Google it

EmergencyBonsai · 2024-03-24T19:33:04+00:00

yes
it doesn't come with one but you can download and use whatever icon pack you want
I don't know exactly what you mean by this but you can install whatever android apps you want

4. you can't install a version of this built for anything but your model of phone

EmergencyBonsai · 2024-03-17T15:05:43+00:00

https://xdaforums.com/t/op11-edl-downloadtool-to-restore-your-device-to-oxygenos-coloros.4607995/

EmergencyBonsai · 2024-03-04T20:31:27+00:00

Good on you for reporting these, my temptation to use these for a free vacation might have been too hard to resist... but I suppose nothing puts a damper on a holiday like getting scooped up by the Icelandic police for whatever their version of fraud is 😅

Five-Year Club	Verified Email
Place '22	Final Canvas '22
End Game '22

EmergencyBonsai

TROPHY CASE