Contents
- Introduction
- Basics
- Identification
- Service Catalog
Introduction
Withings BodyScale API (WBS API) is a set of webservices allowing developers and third parties limited access to users' data.
Prior to any access by an external application, the user has to explicitly allow their data to be accessed through the WBS API. This can be done either by the user in my.withings.com or by the user from a third party's web site using its proper email/password combination.
It is freely available for non-commercial use by any developer and may be licensed (or freely licensed in some cases) for commercial use by prior arrangement. Please issue requests here
A small PHP library is available to illustrate this documentation. Giving it a look will save you time. It is here.
If you are an iPhone developer, you may download the sample iPhone application source code. This application is a example of code to illustrate the API and not the wiScale application. It will anyway save a lot of time to those integrating our API in an iPhone application.
Basics
Request format
The WBS API is REST-based. Basically, WBS requests are sent as HTTP POST or GET requests.
A typical WBS API service request follows this template :
Where :
[service_name] is the requested service,
[action_name] is the action you want to perform on the requested service,
[parameters] are parameters, mandatory or optional, passed to the requested service.
Every service needs a mandatory action parameter. For example, the user service has two possible actions (getbyuserid and update). action is a parameter of the GET or POST request (user?action=getbyuserid)
For every thing you want to do, there is a service and an action. The measure?action=getmeas service, which gets the user's weight and body fat, is probably the most useful.
Response format
Responses to such requests are JSON documents. All responses look like the following:
The body field may eventually be absent or empty, depending on the service/action requested and the success or failure of the requested action.
Any single response will provide a mandatory status field. A status value set to 0 means that the action was successfully processed. Other values mean the request was processed properly. Please refer to the Error codes sections to get a hint as to what went wrong, and why.
A json library IS available for your programming language at http://www.json.org. Please don't try to parse a JSON document without first visiting this site. Use an already available JSON library: it saves a lot of effort.
As a first example (and this is a good starting point to check that this is working in your actual environement):
returns
Identification
You typically use the WBS API to retrieve data related to a given user, for example, weight and body fat measurements. A user is part of an account.
An account is what BodyScale users use to log into their dashboard. An account is uniquely defined by an email address. For access to be granted to a given account, its password (chosen by the user at registration time) is needed. A single account might be used by several BodyScale users (a parent and their young kids), or each user might have their own account.
A user (as listed in the dashboard's leftmost part) of a Withings BodyScale is uniquely defined by a userid and the publickey. In most requests, those two parameters are mandatory. Both can be found, for testing, in the 'Share' overlay within the user's dashboard at http://my.withings.com.
They are two ways of obtaining the userid and a publickey of a specific user.
Notification
The most effective way for third parties to retrieve measurements updates is to setup notifications (some might call it "Push") for the users they are interested in. Notifications are handled on a user-per-user basis : each third party application shall subscribe once for every user being monitored, as explained here. Each time the subscribed users weigh-in, add, delete or modify any measurement or objective, the WBS API will send notifications to all their monitoring third parties.
Subscriptions will not be performed if the user has not allowed its profile to be public. A given user can not be subscribed by more than 16 third parties.
When the WBS API sees that subscriber data has been modified, it sends a notification to the subscribing third party application. The notification contains information that helps to determine what should be downloaded to remain in sync.
Notifications subscriptions last 3 weeks and it is the subscriber responsability to renew the subscription when necessary, as explained here. Checking for the existence of a subscription and the retrieval of its expiry date can be performed as shown here.
The subscription can be revoked at anytime, as explained here
Service Catalog
Depending on what you want to do, you may use the following services:
- I want to GET some (or all) measurements of a specific user for which I have the userid and the publickey. I use measure?action=getmeas .
- I want to GET available information for a specific user for which I have the userid and the publickey. I use user?action=getbyuserid .
- I want to GET the list of the users (and their userid and publickey) within an account for which I have the email address and the password used during account registration. I use account?action=getuserslist .
- I've just managed to convince a user to use my application. I use their email address and the password used during account registration to ensure Withings will share its data. I use user?action=update .
- I would like my application to be notified of measurement related event for the users I supervise whenever as they happen. I use notify?action=subscribe.
- I want to stop a notification I had put in place. I use notify?action=revoke.
- I want to GET information about a notification I may have set up. I use notify?action=get.
measure / getmeas
Several use cases can be performed with this service, depending on its input parameters.
Two parameters are mandatory in all cases: the userid and the publickey. ALL others are provided for filtering purposes and are optional.
Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the target user. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
| publickey | string | The public key associated with the userid. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. | |
| optional | startdate | integer (EPOCH format) | Will prevent retrieval of values dated prior to the supplied parameter. |
| enddate | integer (EPOCH format) | Will prevent retrieval of values dated after the supplied parameter. | |
| meastype | integer | Will restrict the type of data retrieved. (see below the type list) | |
| lastupdate | integer (EPOCH format) | Is useful for performing data synchronization. It can be used by the system using the WBS API to supply the last time (EPOCH format) it acquired data. Only entries which have been added or modified since this time are retrieved. | |
| category | integer | Can be set to 2 to retrieve objectives or to 1 to retrieve actual measurements. | |
| limit | integer | Can be used to limit the number of results. For instance, setting &limit=1 will return only the last measure. Used in conjunction with offsetby, it can be used to acquire large data sets in several requests. Measures are always delivered from the newest one to the older one, and offsetby=X filters the X newest. |
As with every service, the answer starts with a status that should be 0, and a body that contains the actual result, an array of measuregrps (measure groups) related to the specified user.
Each measure group contains the following attributes:
| Measure group content fields | |
|---|---|
| Name | Description |
| grpid | A unique grpid (Group Id), useful for performing synchronization tasks. |
| attrib | An attrib (Attribute), defining the way the measure was attributed to the user. It may take the values shown in the Attribution status table below. |
| date | The date (EPOCH format) at which the measure was taken or entered. |
| category | The category of the group. A measure group can represent either measures captured by the BodyScale or objectives set by the user. The category field indicates for each measure group whether the measures in the group are measurements or targets. Refer to the Category values table below. |
| measures | An array of measures that belong to this particular measure group. |
A measure is an actual measurement of something. It has three parameters:
| Measure content fields | |
|---|---|
| Name | Description |
| type | A type which can be one of the ones specified in the Measure types table. |
| value | A value which is the actual value of the measure (integer). |
| unit | A unit which represents the power of 10 that has to be multipled by value to find the actual data (integer). |
| Attribution status table | |
|---|---|
| Attribution Mode | Description |
| 0 | The measuregroup has been captured by a scale and is known to belong to this user (and is not ambiguous) |
| 1 | The measuregroup has been captured by a scale but may belong to other users as well as this one (it is ambiguous) |
| 2 | The measuregroup has been entered manually for this particular use |
| 4 | The measuregroup has been entered manually during user creation (and may not be accurate) |
| Category table | |
|---|---|
| Category | Description |
| 1 | Measure |
| 2 | Target |
| Measure types table | |
|---|---|
| Type | Description |
| 1 | Weight (Kg) |
| 4 | Size (meter) |
| 5 | Fat Free Mass (Kg) |
| 6 | Fat Ratio (%) |
| 8 | Fat Mass Weight (Kg) |
The actual measure value has to be computed from the value field using this formula:
As an example, the following JSON measure { "value": 79300, "unit": -3, "type": 1 } means "This is a fat measurement of 79,3 Kg".
Note: Our units are SI units (Kilogram, meter, etc.). In case you come from a country that uses the imperial system (ie, Burma, Liberia, or the United States), you may have to convert the values to your local representation.
Return codes
| Code | Description |
| 0 | Operation was successfull |
| 2555 | An unknown error occured |
| 247 | The userid provided is absent, or incorrect |
| 250 | The userid and publickey provided do not match, or the user does not share its data. |
Example
{
"status": 0,
"body": {
"updatetime": 1249409679,
"measuregrps": [
{
"grpid": 2909,
"attrib": 0,
"date": 1222930968,
"category": 1,
"measures": [
{
"value": 79300,
"type": 1,
"unit": -3
},
{
"value": 652,
"type": 5,
"unit": -1
},
{
"value": 178,
"type": 6,
"unit": -1
},
{
"value": 14125,
"type": 8,
"unit": -3
}
]
},
{
"grpid": 2908,
"attrib": 0,
"date": 1222930968,
"category": 1,
"measures": [
{
"value": 173,
"type": 4,
"unit": -2
}
]
}
]
}
}
user / getbyuserid
This service will return an array containing information regarding the specified user.
This can be used to retrive a user's firstname, lastname, gender, or birthdate.Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the target user. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
| publickey | string | The public key associated with the userid. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
account / getuserslist
This service can be used to retreive a user's publickey and userid using the email and password combination of a Withings account.
This service is useful in case the user's data sharing has to be activated from a third party web site. It allows all operations to be performed from this remote web site without forcing the user to actually open a session at my.withings.com. The use of this service is an option. The other option available for the user to perform the same task is to use the 'Share' overlay of the dashboard and have the user send an email to the third party application as explained here.
Using this service necessitates that the user trusts your website enough to enter their Withings account password. Please don't store it.
Parameters
| Required | Name | Type | Description |
| required | string | The email address used at account creation. | |
| hash | string | An cryptographic signature derived from the user password. See here for a complete description and sample code. |
user / update
For a user's data to be accessible through this API, a prior authorization has to be given. This can be done directly from the 'Share' overlay of the user Dashboard, or through the user?action=update service.
Please note that setting the ispublic flag to zero automatically changes the publickey of the user to a new random value.
Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the target user. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
| publickey | string | The public key associated with the userid. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. | |
| ispublic | integer | Set to 1 to enable data sharing. Set to 0 to disable data sharing. |
notify / subscribe
This service allows third parties to subscribe to notifications. Once the notification service has been subscribed, the WBS API will notify the subscriber whenever the target user's measurements or objectives are added, modified or deleted.
This allows third party applications to remain in sync with user's data.
To monitor a user, its userid and publickey are needed. Please note that unless the subscribed users have made their measurements data public, no notifications will be sent (see user/update on how to enable it).
Three parameters are mandatory in all cases : userid, publickey and callbackurl.
Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the user to subscribe notification for. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
| required | publickey | string | The public key associated with the userid. This can be obtained through an account/getuserslist or through the user's "Share" overlay in the dashboard. |
| required | callbackurl | URL-encoded string | The URL the API notification service will call. . WBS API notification are merely HTTP POST requests to this URL (such as http://www.yourdomain.net/yourCustomApplication.php ?userid=123456&startdate=1260350649&enddate=1260350650). Those requests contain startdate and enddate parameters (both are integers in EPOCH format) and the userid it refers to. It is up to the targeted system to issue a measure/getmeas request using both figures to retrieve updated data. This URL shall be provided as a URL-encoded string. Please refer to w3schools URL encoding reference to learn more about URL encoding, use free online URL encoders or check the example provided. The URL length shall not be greater than 128 characters. |
| required | comment | UTF-8 encoded string | The comment string is used as a description displayed to the user when presenting him your notification setup. |
Response
This service has no other answer than the status code that should be zero upon completion.Return codes
| Code | Description |
| 0 | Operation was successfull |
| 2555 | An unknown error occured |
| 247 | The userid is either absent or incorrect |
| 250 | The userid and publickey provided do not match, or the user does not share its data |
| 293 | The callback URL is either absent or incorrect |
| 304 | The comment is either absent or incorrect |
Example
In this example, we assume the target callback URL is http://www.yourdomain.net/yourCustomApplication.php. Once URL-encoded (you can find free online URL encoders here, this transforms into the following :
As a consequence, the resulting subscribe request results in the following. Please note how the URL-encoded form of the callback URL was used, not the callback URL itself :
{
"status": 0
}
notify / revoke
This service allows third party applications to revoke a previously subscribed notification.
This will disable the push feature between the WBS API and the specified applications for the specified user.
Three parameters are mandatory in all cases : userid, publickey and callbackurl.
Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the target user. |
| required | publickey | string | The public key associated with the userid. |
| required | callbackurl | URL-encoded string | The URL-encoded URL used when subscribing to the notification service for the specified user. |
Response
This service has no other answer than the status code that should be zero upon completion.Return codes
| Code | Description |
| 0 | Operation was successfull |
| 2555 | An unknown error occured |
| 247 | The userid is either absent or incorrect |
| 250 | The userid and publickey provided do not match, or the user does not share its data |
| 293 | The callback URL is either absent or incorrect |
| 294 | No such subscription could be deleted |
Example
{
"status": 0
}
notify / get
This service allows third party applications to check whether the notification service was previously subscribed on a specific user and to retrieve the subscription expiry date.
Three parameters are mandatory in all cases : userid, publickey and callbackurl.
Parameters
| Required | Name | Type | Description |
| required | userid | integer | The userid of the target user. |
| required | publickey | string | The public key associated with the userid. |
| required | callbackurl | URL-encoded string | The URL-encoded URL used when subscribing to the notification service for the specified user. |
Response
As with every service, the answer starts with a status that should be 0, and a body that contains the actual result, in this case the expiry date of the notification subscription for this user and its associated comment.
Return codes
| Code | Description |
| 0 | Operation was successfull |
| 2555 | An unknown error occured |
| 247 | The userid is either absent or incorrect |
| 250 | The userid and publickey provided do not match, or the user does not share its data |
| 286 | No such subscription was found |
| 293 | The callback URL is either absent or incorrect |
Example
{
"status": 0,
"body": {
"expires": 2147483647,
"comment": "Your Own Application Description"
}
}
How to compute the hash
Every solution for transporting a password over an non-secure network (the internet) has advantages and drawbacks. We had to achieve a trade-off between several options, keeping in mind that extremely large portability had to be insured. Here is what we came to:
- Step 1: Call the once?action=get service. A once magic string will be returned.
- Step 2: Make a string which is the concatenation of the email address, the MD5 hash of the password and the once separated with ":".
- Step 3: Using, once again, your usual MD5 library, compute the MD5 of the string obtained in step 2.
- Step 4: Use a hexadecimal representation of the result of the MD5 hash as the hash parameter of the WBSAPI service.
- Step 1:
http://wbsapi.withings.net/once?action=getreturns{"status":0,"body":{"once":"4a8947d9-25e849fd"}}
- Step 2:
If the account address is demo@withings.com and the password bozo, then the resulting string isdemo@withings.com:e1c8d6347c0c24e5cbc60e508f3fc1b5:4a8947d9-25e849fdbecause the MD5 hash of bozo equals e1c8d6347c0c24e5cbc60e508f3fc1b5. - Step 3:
The resulting MD5 hash of the above example is99eb3bc8555ca782fa4a0fda53bc8a1a - Step 4:
So one may use, for example:http://wbsapi.withings.net/account?action=getuserslist&email=demo@withings.com&hash=99eb3bc8555ca782fa4a0fda53bc8a1a
Getting userid and publickey by email.
A simple way of connecting a user to your application is to ask the user to send your application an email by using the 'Share' overlay on their dashboard.
Every email sent from the dashboard contains two specific tags in the email headers, namely X-userid and X-publickey. Please use them. Don't try to parse the body of the email since it may (and will) change from time to time and because it is localized in various languages and character sets.
From: Withings <www-data@withings.net>
To: =?iso-8859-1?Q?'C=E9dric_Hutchings'?= <cedric.hutchings@withings.com>
Subject: I want to share my Withings data with you.
Date: Mon, 17 Aug 2009 14:46:13 +0200
Message-ID: <CDFD5A3DED8641CAA132AAF94E44AE42@Seurat>
MIME-Version: 1.0
X-userid: 88
X-publickey: b71d95d5fb963458
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0124_01CA1FFA.DBB90020"
Thread-Index: Acob64EPSheFDlUQT+yd2BeGbHOpBAAJUOjQAMn44FA=
Status: RO
Content-Length: 58160
If the system receiving those emails runs Unix, procmail and formail are probably good tools to handle those headers.
English |
Français |
Deutsch |
Español |
Italiano |
Nederlands |
日本語