Skip to main content

Access and refresh tokens

Data privacy

For all Health Data API services, an authorization token input parameter called access_token is mandatory so that Withings platform can attest that the partner is allowed to access the program member's data.

Using your authorization code

access_token and refresh_token are obtained by using the authorization code you obtained on the previous step of this guide to call the getaccesstoken webservice. In result of calling this webservice, you will obtain an access_token and a refresh_token.

Access and refresh tokens

  • The access_token is always provided with a refresh_token.
  • The refresh_token must only be used to request a new access_token once it has expired.
  • When your access_token has expired, you can use your refresh_token to get a new access_token using the requesttoken webservice.
  • When retrieving a new access_token, a refresh_token is also provided and you have to overwrite your current refresh_token with the new one.
Token expiration

An access_token expires after 3 hours.

A refresh_token expires after a year.

When you request new access_token and refresh_token, the former refresh_token stops being valid after 8 hours, or as soon as the new access_token is used. This is a safety net in case you were not able to store the new access_token and refresh_token after requesting them.


Login required

Please log in to your Developer Dashboard in order to file a request.