Retrieve User Access Token

Make sure you take a look at the Web Guide, and Start a user session in order to learn the steps that need to be taken to set up Human API Connect

Using an Access Token

When you want to query the user's health data, you must first get an access token.

🚧

An access token can only be retrieved if the user previously connected data sources and is still active (not deleted). If either of those two cases are not met, the request will be rejected. If that is the case, you will instead need to Start a user session

// This example contains your client secret and must be used in your server. DO NOT use in the browser!
// This example uses open source request library to issue requests
// You can replace it with your favorite library

const request = require("request");

// Human API's authentication URL
const authUrl = "https://auth.humanapi.co/v1/connect/token";

// Payload you send to the server
const requestBody = {
  client_id: "--YOUR_CLIENT_ID--",
  client_user_id: "--YOUR_UNIQUE_IDENTIFIER--",
  client_secret: "--YOUR_CLIENT_SECRET--",
  type: "access" // replace this value with "access" or "id_token"
};

// Issue a HTTP call to Human API's authentication service
request({
  url: authUrl,
  method: "POST",
  json: true,
  body: requestBody
}, (error, resp , body) => {
  if (error) {
    throw error;
  }
  if (resp.statusCode >= 400 ) {
    console.error("Server returned error status", resp.statusCode);
  } else {
    console.log(resp.body);
  } 
})

🚧

Do not ever send your client secret through the browser

Retrieving user data should not be done through the browser, it should be done via a server. Do not expose your users data by loading your client secret onto a web page.

A successful response to the request above will look like this:

{
    "access_token": "<your access token>",
    "expires_in": 86400,
    "token_type": "Bearer",
    "refresh_token": "atrt-zr5-gTJD8kWiwsNSWwhX2PhQA5-Rz0MpkCQVmdeDkZ3"
}

📘

What should I do with the refresh_token?

Refresh tokens are not actively used today in the API. Though this is the case, we still recommend that you store the refresh_token in your database in the event it is required in the future.

If you would like to request for a new access_token, you can re-send a POST request to our /token endpoint.

When you successfully retrieve the access token, you will use it to get the user's health data from our Data API Overview.

Common errors

Here are some of the most common errors that can be seen when attempting to retrieve an access token:

errorCode

Description

How to Fix

INVALID_TOKEN_TYPE

The specified token type parameter is invalid

Make sure you are sending type: "session" or type: "id"

ACCESS_TOKEN_GENERATION_NOT_ALLOWED

User is not allowed to generate access tokens

The end user must have connected an external account. If the user already connected a source and you are still receiving this error, please reach out to [email protected]

CLIENT_TOKEN_GENERATION_NOT_ALLOWED

client_id is not allowed to generate client tokens

Reach out to us at [email protected]

INVALID_CLIENT_ID

Invalid client_id

Make sure that you are sending the correct client_id

INVALID_CLIENT_ID_OR_SECRET

Invalid client_id or client_secret

Make sure that you are sending the correct client_id and client_secret

UNKNOWN_CLIENT_USER_ID

Unknown client_user_id

When requesting type: "id", make sure that you have generated a session token for the user and that they have connected sources.

NOT_AUTHORIZED

Not authorized to perform this action

Reach out to us at [email protected]