Signature hash protocol
In order to authenticate a partner, some Withings APIs use a hash value as a signature. The signature consists of the following parameters:
To generate a signature please follow these steps:
- Generate a valid nonce using the service Signature v2 - Getnonce
- Sort the values alphabetically by key name: action -> client_id -> nonce
- Generate a string by concatenating values separated by a comma. The string should look this this: value1,value2,value3.
- Apply an hmac hashing function on the string using the algorithm
sha256and your partner's
client_secret(available in your Withings partner dashboard) as a secret key.
- Add the hash string in the parameters under the
Example of signature generation in
This section on token reception relates to the following services:
To avoid collisions with existing Withings consumer accounts, these three services create a new end user account in the partner API namespace.
- The service will synchronously render the authorisation code and the
external_idinput parameters in the call response.
- The partner will then need to fetch the access and refresh tokens using the token service as described in the second step of the OAuth 2.0 application flow.
- If the end user account already exists in the partner API namespace when the service is called, a new account is not created and the authorisation code to access credentials for the existing account will be returned.