Health Graph tip: Authorization removal callbacks
This deauthorization callback how-to is the first of an intermittent series of tips-and-tricks posts. Note that this post was updated to reflect more liberal API Policies in May 2012.
Here’s how it works: Whenever a user permanently disconnects your application from their RunKeeper account and they have not authorized you to retain their Health Graph data after that disconnection, the system will send an HTTP POST to the callback URL (in
application/json format) with a single parameter, “
access_token“, that contains the now-invalid token. The request from the Health Graph system will look like this:
POST callback_url HTTP/1.1
callback_url is the URL supplied during registration,
callback_host is the host portion of
nnn is the length of the request body, and
some_token is the revoked token.
Please refer to the Health Graph Registration and Authorization documentation for more.
Additional notes: If you request data retention capabilities, you are required to honor the user’s decision as to whether to authorize your retention or not at disconnection time. In that case, you must implement this callback such that if the Health Graph system calls you using it, you delete the given user’s Health Graph originated data. Note that this callback is patterned after a similar callback in Facebook’s OAuth deauthorization implementation.
Questions? Please post them to the callback discussion on the Health Graph group.
Cross-posted from the Health Graph blog.
From → Uncategorized