Access and refresh tokens
Data privacy
For all Health Data API services, an authorization token input parameter called access_token is mandatory so that Withings platform can attest that the partner is allowed to access the program member's data.
Using your authorization code
access_token and refresh_token are obtained by using the authorization code you obtained on the previous step of this guide to call the getaccesstoken webservice. In result of calling this webservice, you will obtain an access_token and a refresh_token.
Access and refresh tokens
- The
access_tokenis always provided with arefresh_token. - The
refresh_tokenmust only be used to request a newaccess_tokenonce it has expired. - When your
access_tokenhas expired, you can use yourrefresh_tokento get a newaccess_tokenusing the requesttoken webservice. - When retrieving a new
access_token, arefresh_tokenis also provided and you have to overwrite your currentrefresh_tokenwith the new one.
An access_token expires after 3 hours.
A refresh_token expires after a year.
When you request new access_token and refresh_token, the former refresh_token stops being valid after 8 hours, or as soon as the new access_token is used. This is a safety net in case you were not able to store the new access_token and refresh_token after requesting them.