OAuth web flow
The goal of the OAuth 2.0 web flow is to allow your application to access a user’s health data from their Withings account securely. Here’s an overview of the entire process:
1. User Sets Up Devices in the Withings App:
Before connecting to your application, the user needs to set up their Withings devices using the Withings app on their phone.
During this setup, the user will:
- Create a Withings account (if they don't already have one).
- Install and link their Withings devices to their account.
At this point, all the health data generated by the devices will be synced to the user’s account, which can later be accessed via the Withings API.
Note: Once the user authorizes your application, you will have access not only to new data but also to all historical health data collected by the devices, allowing you to retrieve both past and current measurements through the API.
2. Redirecting the User to the Authorization URL:
Start by directing the user to Withings’ authorization URL. This can be done via a button (e.g., "Connect my Withings account"), a QR code, or another link. The user will be asked to create or log in to their Withings account and grant permission to share their health data with your application.
3. User Redirects to Your Callback URL:
After the user has successfully granted access, they are redirected to your callback URL with an additional query parameter, code.
4. Exchanging the Code for Tokens:
You have 30 seconds to exchange the authorization code for an access token and a refresh token. These tokens will allow your application to authenticate and retrieve the user’s data.
5. Pulling User Data:
After receiving the access token, you can use it to pull the user’s health data. This can be done using Withings' webhook system, which will notify you when new data is available.
See the following diagram:
