Your browser is no longer supported! Please upgrade your web browser now.
Posts tagged “Harvest ID”:

Harvest ID: The Key to Your (Harvest) Heart

Harvest ID is such A Big Deal that this is the second post we’re dedicating to it here on the Harvest Blog. Albert has already told you all about the thought process behind this tremendous project and its benefits behind the scenes; now, I want to dive into what this new integrated sign-in system means for you as you use Harvest and Forecast day to day—and even introduce a brand-new feature that couldn’t have existed before.

Simpler sign-in

The first thing you might notice when you sign in to Harvest ID is that it’s the same sign-in page no matter what—whether your company recently changed its name, you’re part of more than one account, or you want to go to Forecast instead of Harvest, you can go right to and enter your email address and password.

Before this, if you were signing in to a Harvest account, you first needed to go to your Harvest web address, a unique URL for your particular account. It’s not always easy for everyone to remember that web address, though—especially if they have to know more than one of them—and so we’ve done away with it completely in the sign-in process. Now, clicking the Sign In button on our main page will take you straight to the Harvest ID sign-in page, where an email address and password is enough for us to know exactly which account you’re trying to access or give you a list of all your accounts so you can choose the right one.

Sign in with Harvest ID

You might not even need a password to sign in. While quicker sign-in was originally a major benefit of our Google Apps integration, setting it up wasn’t the most intuitive process, and you still needed to create a Harvest password even if you were only ever going to sign in with Google Apps. Harvest ID has allowed us to simplify this integration and widen it to all Google accounts, so even if you just have a personal Gmail address, accessing your Harvest or Forecast account is now as easy as clicking the Sign In with Google button and giving Harvest permission to authenticate you via Google.

Smoother switching—everywhere

I mentioned that you might see a list of your different accounts when you sign in. An increasing number of our customers are taking advantage of the integration between Harvest and Forecast and using both apps to keep tabs on project progress. With more and more people working on projects for different companies or freelancing alongside their day job, it’s also not unusual for someone to be part of multiple Harvest accounts and/or multiple Forecast accounts. In these cases, there’s no need to sign in to each account separately—just sign in once using Harvest ID and you’ll get that list of accounts to choose from. Once you’re in one account, click your name at the top right and select Switch Accounts to get back to the list and jump right into another account faster than you can unlock your own front door.

Switch Accounts in Harvest

Perhaps one of the best parts of our new sign-in system is that it’s not just for the web. Before, we had the same basic key—email address, password, and, in the case of Harvest, web address—but a different lock for every device. For example, our Android app (somewhat ironically!) couldn’t use the Google Apps integration. Now, we’ve implemented Harvest ID across our web apps, Mac and mobile apps, browser extensions and add-ons, and Platform-enabled integrations, giving you the same experience and benefits no matter which app or device you’re using.

Log in from Google Apps on Mobile Devices

Stronger security

Harvest ID isn’t all about making sign-in faster and easier; we’ve also made several customer-facing improvements around security. When you change your Harvest ID password, for example, the new password applies to all the accounts attached to that Harvest ID—sort of like putting your whole gated compound on immediate lockdown rather than changing each lock on each door one at a time.

Session Control

I’m especially excited to tell you about this next security-related feature because it’s fresh out of the oven. The Security section of your Harvest ID gives you the lowdown on every time your accounts have been signed in to—IP address, location, and device. This can help you keep an eye out for any unauthorized access to your account, like if you see someone has signed in from a country that you’ve never stepped foot in. If that happens, or even if you just realize that you’ve left yourself signed in to a computer you no longer have access to, you can easily end a particular session—making sure that no more actions can be taken by anyone who had access via that session—or end all of your sessions and immediately reset your password, ensuring that you’re the only person who can sign in to the accounts associated with your Harvest ID.

And much more

Harvest ID improves the Harvest and Forecast experience in so many ways that I’m tempted to go on and on—but since we’re all about time here, I know you’re probably ready to spend your time doing something else! If you do want to know more, I recommend checking out the Harvest ID section of our Help Center for more information and answers to FAQs. If you don’t find what you’re looking for there, you’re more than welcome to give us a shout and we’ll help you out with any questions you might have!

As for the future, Harvest ID has already done so much for us and for you, but we’re going to ask even more of it. Its flexibility will allow us to work on a lot of features that weren’t possible before, and we’re looking forward to sharing them with you. Stay tuned for updates!

Harvest ID: A New Hope

We have a great team of developers all over the world constantly improving Harvest in the background—optimizing the infrastructure, pushing version updates, tweaking the database, etc. These things can’t easily be shown with flashy animated GIFs like when we release new features, but they’re essential in keeping our products secure, reliable, and fast. In this post I’d like to talk about one of these projects.

I’ve spent a year and a half of my career on this new system we call Harvest ID, and it’s been one of the most rewarding and challenging projects I’ve ever worked on. It’s also a very important step for us technically, a stepping stone that let us clean up a lot of technical debt and paved the way for a lot of features that wouldn’t have been possible without it.

We migrated almost one million users to this new system, we built and improved features where security is absolutely essential, like password resets and invitations, and we had endless discussions about the impact on usability for the various flows that Harvest ID provides. And we did all this without a single second of downtime.

I hope you enjoy this read as much as I enjoyed working on this project.

Authentication is very important. It’s the key that gives you access to doing anything at all with Harvest, and it involves much more than just entering your email and password on a sign-in page.

More than ten years ago, when Harvest was launched, you could sign in using your email address and password. Some time later, we started offering an API that let you pass your credentials with Basic authentication. When the iPhone started to be a thing, we built our first version of Harvest for iPhone. Some time later, we implemented the new standard OAuth2, making third-party apps easier and more secure to build. In 2014 we launched another product, Forecast, which integrates very tightly with Harvest.

All of these different features have one thing in common: they provide access to your Harvest accounts, and that access has privacy and security implications that we take very seriously.

Harvest started with a very simple solution for the needs it had ten years ago, but with time, authentication became more and more complex to manage. This complexity wasn’t intentional; it was the outcome of many years of changes and improvements. This is perfectly normal in the world of software development, where it’s important to not just extend and add new features but also take a step back and clean up anything that has become too complex.

This slide from an internal presentation two years ago made it clear that it was time for us to take that step back (don’t worry—a lot has changed since then!):

Talk Over the Internet – Authentication

Harvest ID

One of the ways we’ve solved these problems in the past is to rebuild small sections from scratch, giving us new, cleaner code. It’s also possible to take this one step further, though, and build a whole new app. This has the added benefit of removing the complexity from the original codebase and having a very small new application that’s a lot easier to maintain.

We unveiled Forecast almost two years ago, when we had already learned from our past and decided that authentication was something that could be done in a different app. We tried out our proof of concept and found that it worked well for Forecast, so the next step was to expand on the idea and get Harvest to use it, too. We named the new app Harvest ID.

Beyond cleaning up our authentication code, we knew that investing in Harvest ID would have many other benefits, some obvious, like easily switching between Harvest and Forecast accounts, and others less visible, like improving how we implement some parts of Harvest that really need some love. We’ll explain some of these more in depth in a future blog post, but security has always been at the forefront of this project, and that’s what I want to dig into now.


Security is a complex concept. No one can ever say with 100% confidence that a system is completely secure; what’s considered secure changes with time, as hackers get craftier and new best practices emerge. Security is a spectrum, and we’re constantly trying to move towards the more secure end of it. Ensuring security involves many different areas and practices, from keeping our servers and packages up to date and storing private information securely to using mathematically proven secure algorithms and nudging our customers towards stronger passwords or informing them when something might be amiss.

With Harvest ID, our products are now several steps closer to the place we’d like to be with regard to security:

  • We’re now based on tokens with limited lifetimes. Someone hacking an account has a limited time during which to do any damage, and we can revoke access at any point.
  • It’s much more flexible than before. We’ll be able to build new features in the future that would’ve been very complicated to build in the days before Harvest ID.
  • Harvest ID is a very small application, which makes it a lot easier to maintain. We can run the whole test suite in ten seconds, as opposed to the ten minutes it takes to run Harvest’s. A small application has fewer bugs and lets us be way more thorough with QA. This is very important when we’re talking about such a key part of a system.
  • Harvest and Forecast can join efforts in this area. Any improvements or vulnerability fixes in our authentication code will automatically apply to both products.
  • There’s a good chunk of functionality that doesn’t live in Harvest anymore—signing in, password resets, invitations, etc. That means Harvest got simpler, and we know simpler apps are more secure, right?


Harvest ID is, at its core, a token generator that can work as an OAuth2 provider. When accessing any of our products, we always expect an access token to be in your cookies. If it’s not there, we just tell you to go to Harvest ID and sign in to get a new one.

If you type the correct email and password into Harvest ID, we issue a new access token with a limited lifetime. That token stays in your cookies, signed and encrypted to make it a little bit more annoying for Evil Hackers to play with it, and once it expires, it stops working and you need a new one to access our apps. Signing out also invalidates it, making sure hackers can’t do anything else with it.

Our own mobile apps use Harvest ID as a good old OAuth2 provider. They use a password grant to get a pair of access and refresh tokens, just like they used to, with the added benefit that you can use these tokens for all your accounts, making it easier than ever to switch accounts with our mobile apps—something that wasn’t possible before. Spoiler alert: The Harvest for Mac app will support this very soon, too!

We foresee a future where all API access to Harvest will also benefit from Harvest ID so third-party apps can provide new, better ways to work with Harvest and, eventually, Forecast.

I’m so glad to have been part of this amazing journey. We officially started the project to integrate Harvest ID with Harvest in October 2014 and silently released the first batch of changes internally in early 2015 before slowly migrating all features from Harvest into Harvest ID. We migrated everyone with a single Harvest account during March 2015 and everyone else in the next few months. We re-built most of the sign-up code at the same time, and by the end of 2015, everyone was accessing Harvest via Harvest ID.

We haven’t been idle since then. We’ve continued to improve Harvest ID and will keep doing so in the months to come. I’m really looking forward to the new feature announcements we’ll be making in the near future.

This ambitious project wouldn’t have been possible without the fantastic team here, from my fellow developers to our amazing DevOps, tireless QA, and the nicest team of Experts around. I especially couldn’t have done it without Lorenzo, one of our security experts and an incredible resource and cheerleader during this transition.

Stay tuned for upcoming news about Harvest ID!