{"_id":"564d1c209f8c5c0d00245e15","user":"5539912a0074c80d00621b14","version":{"_id":"564d1af84567342100ad96aa","project":"551375e1d04af219007ddc52","__v":1,"createdAt":"2015-11-19T00:42:32.705Z","releaseDate":"2015-11-19T00:42:32.705Z","categories":["564d1af94567342100ad96ab","564d1af94567342100ad96ac","564d1af94567342100ad96ad","564d1af94567342100ad96ae","564d1af94567342100ad96af","564d1af94567342100ad96b0","564d1af94567342100ad96b1","564d1af94567342100ad96b2"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.1.0","version":"1.1"},"__v":7,"project":"551375e1d04af219007ddc52","category":{"_id":"564d1af94567342100ad96ad","__v":2,"pages":["564d1afb4567342100ad96c0","564d1afb4567342100ad96c1","564d1afb4567342100ad96c2","564d1afb4567342100ad96c3","564d1c209f8c5c0d00245e15"],"project":"551375e1d04af219007ddc52","version":"564d1af84567342100ad96aa","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-03-27T02:56:41.497Z","from_sync":false,"order":2,"slug":"authenticating-users","title":"Authenticating Users"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-11-19T00:47:28.497Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":5,"body":"Finalizing the authentication flow requires implementing a single server side endpoint. Lets walk through how to do it.\n\nAs we outlined in previous steps, after a user finishes connecting their health data through the Human Connect popup, you will get a `sessionTokenObject` with the following parameters:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  humanId: \\\"52867cbede3155565f000a0d\\\",\\n  clientId: \\\"2e9574ecd415c99346879d07689ec1c732c11036\\\",\\n  sessionToken: \\\"8836c122c0483eb193ac2dd121136931\\\"\\n}\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]\n\nYou should send this token object from the client to your server as-is (for mobile SDKs, this is referred to as the `authURL`). On the server you need to add your `clientSecret` property to this object. This is done so that we can verify the request came from your application. You can find this value on your app settings page in the Developer Portal. A signed payload should look like this:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  humanId: \\\"52867cbede3155565f000a0d\\\",\\n  clientId: \\\"2e9574ecd415c99346879d07689ec1c732c11036\\\",\\n  clientSecret: \\\"ee1551fb509598d0b656811633310889dc306aa3\\\",\\n  sessionToken: \\\"8836c122c0483eb193ac2dd121136931\\\"\\n}\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]\n\nNow you can POST this signed object to the tokens endpoint below. Ensure that you set the `Content-Type` header to `application/json`.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"https://user.humanapi.co/v1/connect/tokens\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n Here is an example of how you could do so in Node.js:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"var request = require('request');\\n\\n// common code for web app configuration should go here\\n// ...\\n\\napp.post('/connect/finish', function(req, res) {\\n  var sessionTokenObject = req.body;\\n  // grab client secret from app settings page and `sign` `sessionTokenObject` with it.\\n  sessionTokenObject.clientSecret = '#CLIENT_SECRET';\\n\\n  request({\\n    method: 'POST',\\n    uri: 'https://user.humanapi.co/v1/connect/tokens',\\n    json: sessionTokenObject\\n  }, function(err, resp, body) {\\n      if(err) return res.send(422);\\n      // at this point if request was successful body object\\n      // will have `accessToken`, `publicToken` and `humanId` associated in it.\\n      // You probably want to store these fields in your system in association to user's data.\\n      res.send(201, body);\\n    });\\n});\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\nIf the object was correctly sent you will get response like this:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  humanId: \\\"52867cbede3155565f000a0d\\\",\\n  accessToken: \\\"95891f14f4bcpa23261987effc7cfac7fedf7330\\\",\\n  publicToken: \\\"2767d6oea95f4c3db8e8f3d0a1238302\\\",\\n  clientId: \\\"2e9574ecd415c99346879d07689ec1c732c11036\\\",\\n  clientUserId: \\\"user:::at:::yourdomain.com\\\"\\n}\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]\n\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Property\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"`humanId`\",\n    \"0-1\": \"`String`\",\n    \"0-2\": \"A unique ID for the Human API user. Only useable by the application that registered the user.\",\n    \"1-0\": \"`accessToken`\",\n    \"1-1\": \"`String`\",\n    \"1-2\": \"Unique token for the user. Used to query the user's health data. Should not be shared.\",\n    \"2-0\": \"`publicToken`\",\n    \"2-2\": \"Unique token for the user. Used to launch Human Connect popup in the edit mode. This token does not give access to user's health data through the API. To retrieve the `publicToken` for existing users follow the instructions at the bottom of this page.\",\n    \"2-1\": \"`String`\",\n    \"3-0\": \"`clientId`\",\n    \"4-0\": \"`clientUserId`\",\n    \"3-1\": \"`String`\",\n    \"4-1\": \"`String`\",\n    \"3-2\": \"Unique ID of the developer portal app you are working with.\",\n    \"4-2\": \"Unique user ID passed into Human Connect during initial launch. Use this to associate the returned tokens with the appropriate local user.\"\n  },\n  \"cols\": 3,\n  \"rows\": 5\n}\n[/block]\n\nYou need to save `humanId`, `accessToken`, and `publicToken` somewhere in your system, and associate them with that particular user record.\n\n**User authentication via Human Connect is now complete! **Utilize the `accessToken` to [query the user's health data](doc:data-overview) from Human API and don't forget to pass the `publicToken` to the Human Connect popup next time the user tries to add or remove a source. \n\n\nAlso, see [Customizing Human Connect](doc:customizing-human-connect) page for info on customizing the language and format of the Human Connect popup.\n\n#Retrieve the `publicToken` for an Existing User\nIn the event that you've forgotten to save a user's `publicToken`, you can retrieve it by POSTing the appropriate `humanId`, `clientId`, and `clientSecret` to the publicTokens endpoint below. Ensure that you set the `Content-Type` header to `application/json`.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"https://user.humanapi.co/v1/connect/publictokens\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nThe payload will have the following properties:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  \\\"humanId\\\": \\\"52867cbede3155565f000a0d\\\",\\n  \\\"clientId\\\": \\\"2e9574ecd415c99346879d07689ec1c732c11036\\\",\\n  \\\"clientSecret\\\": \\\"ee1551fb509598d0b656811633310889dc306aa3\\\"\\n}\\n\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]\nThe response to this query will have the `humanId` and the new `publicToken`\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  \\\"humanId\\\": \\\"52867cbede3155565f000a0d\\\",\\n  \\\"publicToken\\\": \\\"a95f4c3db8e8f3d0a1232767d6oe8399\\\"\\n}\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]","excerpt":"","slug":"finalizing-user-authentication","type":"basic","title":"Finalizing User Authentication"}

Finalizing User Authentication


Finalizing the authentication flow requires implementing a single server side endpoint. Lets walk through how to do it. As we outlined in previous steps, after a user finishes connecting their health data through the Human Connect popup, you will get a `sessionTokenObject` with the following parameters: [block:code] { "codes": [ { "code": "{\n humanId: \"52867cbede3155565f000a0d\",\n clientId: \"2e9574ecd415c99346879d07689ec1c732c11036\",\n sessionToken: \"8836c122c0483eb193ac2dd121136931\"\n}", "language": "json" } ] } [/block] You should send this token object from the client to your server as-is (for mobile SDKs, this is referred to as the `authURL`). On the server you need to add your `clientSecret` property to this object. This is done so that we can verify the request came from your application. You can find this value on your app settings page in the Developer Portal. A signed payload should look like this: [block:code] { "codes": [ { "code": "{\n humanId: \"52867cbede3155565f000a0d\",\n clientId: \"2e9574ecd415c99346879d07689ec1c732c11036\",\n clientSecret: \"ee1551fb509598d0b656811633310889dc306aa3\",\n sessionToken: \"8836c122c0483eb193ac2dd121136931\"\n}", "language": "json" } ] } [/block] Now you can POST this signed object to the tokens endpoint below. Ensure that you set the `Content-Type` header to `application/json`. [block:code] { "codes": [ { "code": "https://user.humanapi.co/v1/connect/tokens", "language": "text" } ] } [/block] Here is an example of how you could do so in Node.js: [block:code] { "codes": [ { "code": "var request = require('request');\n\n// common code for web app configuration should go here\n// ...\n\napp.post('/connect/finish', function(req, res) {\n var sessionTokenObject = req.body;\n // grab client secret from app settings page and `sign` `sessionTokenObject` with it.\n sessionTokenObject.clientSecret = '#CLIENT_SECRET';\n\n request({\n method: 'POST',\n uri: 'https://user.humanapi.co/v1/connect/tokens',\n json: sessionTokenObject\n }, function(err, resp, body) {\n if(err) return res.send(422);\n // at this point if request was successful body object\n // will have `accessToken`, `publicToken` and `humanId` associated in it.\n // You probably want to store these fields in your system in association to user's data.\n res.send(201, body);\n });\n});", "language": "javascript" } ] } [/block] If the object was correctly sent you will get response like this: [block:code] { "codes": [ { "code": "{\n humanId: \"52867cbede3155565f000a0d\",\n accessToken: \"95891f14f4bcpa23261987effc7cfac7fedf7330\",\n publicToken: \"2767d6oea95f4c3db8e8f3d0a1238302\",\n clientId: \"2e9574ecd415c99346879d07689ec1c732c11036\",\n clientUserId: \"user@yourdomain.com\"\n}", "language": "json" } ] } [/block] [block:parameters] { "data": { "h-0": "Property", "h-1": "Type", "h-2": "Description", "0-0": "`humanId`", "0-1": "`String`", "0-2": "A unique ID for the Human API user. Only useable by the application that registered the user.", "1-0": "`accessToken`", "1-1": "`String`", "1-2": "Unique token for the user. Used to query the user's health data. Should not be shared.", "2-0": "`publicToken`", "2-2": "Unique token for the user. Used to launch Human Connect popup in the edit mode. This token does not give access to user's health data through the API. To retrieve the `publicToken` for existing users follow the instructions at the bottom of this page.", "2-1": "`String`", "3-0": "`clientId`", "4-0": "`clientUserId`", "3-1": "`String`", "4-1": "`String`", "3-2": "Unique ID of the developer portal app you are working with.", "4-2": "Unique user ID passed into Human Connect during initial launch. Use this to associate the returned tokens with the appropriate local user." }, "cols": 3, "rows": 5 } [/block] You need to save `humanId`, `accessToken`, and `publicToken` somewhere in your system, and associate them with that particular user record. **User authentication via Human Connect is now complete! **Utilize the `accessToken` to [query the user's health data](doc:data-overview) from Human API and don't forget to pass the `publicToken` to the Human Connect popup next time the user tries to add or remove a source. Also, see [Customizing Human Connect](doc:customizing-human-connect) page for info on customizing the language and format of the Human Connect popup. #Retrieve the `publicToken` for an Existing User In the event that you've forgotten to save a user's `publicToken`, you can retrieve it by POSTing the appropriate `humanId`, `clientId`, and `clientSecret` to the publicTokens endpoint below. Ensure that you set the `Content-Type` header to `application/json`. [block:code] { "codes": [ { "code": "https://user.humanapi.co/v1/connect/publictokens", "language": "text" } ] } [/block] The payload will have the following properties: [block:code] { "codes": [ { "code": "{\n \"humanId\": \"52867cbede3155565f000a0d\",\n \"clientId\": \"2e9574ecd415c99346879d07689ec1c732c11036\",\n \"clientSecret\": \"ee1551fb509598d0b656811633310889dc306aa3\"\n}\n", "language": "json" } ] } [/block] The response to this query will have the `humanId` and the new `publicToken` [block:code] { "codes": [ { "code": "{\n \"humanId\": \"52867cbede3155565f000a0d\",\n \"publicToken\": \"a95f4c3db8e8f3d0a1232767d6oe8399\"\n}", "language": "json" } ] } [/block]