Service Endpoints
All Tidepool services are accessed via RESTful URLs at api.tidepool.org
.
Use of our APIs is documented at https://developer.tidepool.org and via source code and documentation found at https://github.com/Tidepool_org .
All API calls are RESTful and require a unique, valid session token that is obtained during authentication and is not exposed in the URL.
All communication with APIs is encrypted via TLS/HTTPS. Data is transmitted to the web application as JSON streams over RESTful APIs.
About session tokens
New session tokens are generated upon login and invalidated on logout.
Session tokens are 1024 bits
and expire after 8
hours inactivity or upon logout.
Session IDs are only included in the encrypted HTTPS header and are not exposed in the URL.
API Security
Tidepool publishes our full API spec on Stoplight.io
in OpenAPI
(formerly SWAGGER
) format
Every API endpoint verifies that:
there is a valid JWT access token
the access token is from a user who has permission/privilege to access the resource in question.
Tidepool issues two tokens – an access token which is good for 1
minute and a refresh token, which is good for the length of the session (24
-hour maximum with an 8
-hour inactivity timer).
The access token is generated by Tidepool upon successful user authentication. It contains the user ID of the user as one of its claims, and it is signed with Tidepool’s private key using RS256
algorithm.
OAuth tokens are good for a max of 24
hours, and then will need to refresh the token if not handled state-fully by an application.
The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.