diff --git a/roles/homeassistant/files/auth-command.py b/roles/homeassistant/files/auth-command.py
new file mode 100755
index 0000000..02fff52
--- /dev/null
+++ b/roles/homeassistant/files/auth-command.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+
+import os
+import re
+import sys
+import requests
+
+username = os.environ.get("username")
+password = os.environ.get("password")
+
+if username is None or password is None:
+    sys.exit(2)
+if not re.search(r"^[a-z]+$", username):
+    sys.exit(2)
+
+resp = requests.post(
+    "https://id.foo.sh/authcheck",
+    json={"username": username, "password": password, "group": "foosh"},
+)
+if resp.status_code != 200:
+    sys.exit(2)
+
+print("name = {}".format(resp.json()["name"]))
+print("group = system-users")
+print("local_only = false")
diff --git a/roles/homeassistant/files/auth-command.sh b/roles/homeassistant/files/auth-command.sh
deleted file mode 100755
index e64ee9c..0000000
--- a/roles/homeassistant/files/auth-command.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-umask 077
-
-if [ -z "${username:-}" ] || [ -z "${password:-}" ]; then
-    exit 2
-fi
-
-if [ "$(echo "$username" | sed -r 's/^[a-z]+$/x/')" != "x" ]; then
-    exit 2
-fi
-
-curl -sf -X POST -H "Content-Type: application/json" -d @- \
-    https://id.foo.sh/authcheck <<EOF
-{"username": "${username}", "password": "${password}", "group": "foosh"}
-EOF
diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml
index 1f1c11a..c11dfcb 100644
--- a/roles/homeassistant/tasks/main.yml
+++ b/roles/homeassistant/tasks/main.yml
@@ -98,8 +98,8 @@
 
 - name: Copy authentication command
   ansible.builtin.copy:
-    dest: /srv/homeassistant/auth-command.sh
-    src: auth-command.sh
+    dest: /srv/homeassistant/auth-command.py
+    src: auth-command.py
     mode: "0755"
     owner: root
     group: "{{ ansible_wheel }}"