Auth — API Reference

POST /auth/user-token Generate user token

Generates a short-lived, read-only JWT scoped to a single user. Pass it to your frontend so clients can query health data directly without exposing your API key.

Example Request

bash

curl -X POST \
  "https://api.sonarhealth.co/v1/auth/user-token" \
  -H "Authorization: Bearer $TOKEN"

Response 200 User token (1 hour lifetime)

json

{
  "token": "eyJhbGciOiJSUzI1NiIs...",
  "user_id": "usr_abc123",
  "expires_at": "2025-01-15T11:00:00Z"
}

POST /auth/user-token/refresh Refresh user token

Issues a new user token for the same user. Call from your backend before the current token expires.

Example Request

bash

curl -X POST \
  "https://api.sonarhealth.co/v1/auth/user-token/refresh" \
  -H "Authorization: Bearer $TOKEN"

Response 200 Refreshed user token

json

{
  "token": "eyJhbGciOiJSUzI1NiIs...",
  "user_id": "usr_abc123",
  "expires_at": "2025-01-15T12:00:00Z"
}

POST /auth/mobile-token Generate mobile SDK token

Generates a single-use token for initializing the Mobile SDK on a user's device. Expires in 5 minutes. Never expose your API key in mobile apps — use this token instead.

Example Request

bash

curl -X POST \
  "https://api.sonarhealth.co/v1/auth/mobile-token" \
  -H "Authorization: Bearer $TOKEN"

Response 200 Mobile token (5 minute lifetime, single-use)

json

{
  "token": "mt_xK9mP2...",
  "user_id": "usr_abc123",
  "expires_at": "2025-01-15T10:05:00Z"
}