Health Graph tip: Authorization removal callbacks

This deauthorization callback how-to is the first of an intermittent series of tips-and-tricks posts. Note that this post was updated to reflect more liberal API Policies in May 2012.

The Health Graph now supports callback URLs for removal of user authorizations. You should specify your callback URL when you register your application in the Partner portal.

Here’s how it works: Whenever a user permanently disconnects your application from their RunKeeper account and they have not authorized you to retain their Health Graph data after that disconnection, the system will send an HTTP POST to the callback URL (in application/json format) with a single parameter, “access_token“, that contains the now-invalid token. The request from the Health Graph system will look like this:


POST callback_url HTTP/1.1
Host: callback_host
Content-Type: application/json
Content-Length: nnn

{"access_token":"some_token"}


where callback_url is the URL supplied during registration, callback_host is the host portion of callback_url, nnn is the length of the request body, and some_token is the revoked token.

Please refer to the Health Graph Registration and Authorization documentation for more.

Additional notes: If you request data retention capabilities, you are required to honor the user’s decision as to whether to authorize your retention or not at disconnection time. In that case, you must implement this callback such that if the Health Graph system calls you using it, you delete the given user’s Health Graph originated data. Note that this callback is patterned after a similar callback in Facebook’s OAuth deauthorization implementation.

Questions? Please post them to the callback discussion on the Health Graph group.

Cross-posted from the Health Graph blog.