Access and refresh tokens
Data privacy
For all Health Data API services, an authorization token input parameter called access_token
is mandatory so that Withings platform can attest that the partner is allowed to access the program member's data.
Using your authorization code
access_token
and refresh_token
are obtained by using the authorization code
you obtained on the previous step of this guide to call the getaccesstoken webservice. In result of calling this webservice, you will obtain an access_token
and a refresh_token
.
Access and refresh tokens
- The
access_token
is always provided with arefresh_token
. - The
refresh_token
must only be used to request a newaccess_token
once it has expired. - When your
access_token
has expired, you can use yourrefresh_token
to get a newaccess_token
using the requesttoken webservice. - When retrieving a new
access_token
, arefresh_token
is also provided and you have to overwrite your currentrefresh_token
with the new one.
An access_token
expires after 3 hours.
A refresh_token
expires after a year.
When you request new access_token
and refresh_token
, the former refresh_token
stops being valid after 8 hours, or as soon as the new access_token
is used. This is a safety net in case you were not able to store the new access_token
and refresh_token
after requesting them.