Service Endpoints

Owned by Adaptavist ScriptRunner for Confluence Cloud
Last updated: Oct 16, 2023 by Ben Derr
1 min read

All Tidepool services are accessed via RESTful URLs at api.tidepool.org.

Search this space

Use of our APIs is documented at https://developer.tidepool.org and via source code and documentation found at https://github.com/Tidepool_org .

All API calls are RESTful and require a unique, valid session token that is obtained during authentication and is not exposed in the URL.

All communication with APIs is encrypted via TLS/HTTPS. Data is transmitted to the web application as JSON streams over RESTful APIs.

About session tokens

New session tokens are generated upon login and invalidated on logout.

Session tokens are 1024 bits and expire after 8 hours inactivity or upon logout.

Session IDs are only included in the encrypted HTTPS header and are not exposed in the URL.

API Security

Tidepool publishes our full API spec on Stoplight.io in OpenAPI (formerly SWAGGER) format

https://tidepool.stoplight.io

Every API endpoint verifies that:

  1. there is a valid JWT access token

  2. the access token is from a user who has permission/privilege to access the resource in question.

Tidepool issues two tokens – an access token which is good for 1 minute and a refresh token, which is good for the length of the session (24-hour maximum with an 8-hour inactivity timer).

The access token is generated by Tidepool upon successful user authentication. It contains the user ID of the user as one of its claims, and it is signed with Tidepool’s private key using RS256 algorithm.

OAuth tokens are good for a max of 24 hours, and then will need to refresh the token if not handled state-fully by an application.

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.