Do not index
Do not index
Vital Sign-In Token is a new authentication scheme for Vital Mobile SDKs.
Documentation and migration guide for Vital Sign-In Token is available at https://docs.tryvital.io/wearables/sdks/authentication
- Your backend service generates a one-off Vital Sign-In Token for your mobile app user.
- Your mobile apps use the token to sign-in with Vital Mobile SDKs.
- Once signed-in, your app would authenticate to Vital API only as that specific user. The SDK would remember the sign-in session in persistent storage, until you instruct the SDK to reset.
With Vital Sign-In Tokens:
- A SDK sign-in can access only API resources linked to the user.
- The SDK no longer requires your Vital API Key to function.
This means you can now keep your API Keys strictly a server-side secret, and therefore restrict full data access only to your internal systems.
Vital is planning to roll out stricter API rate limiting in early 2024.
If you use Vital API exclusively with server-to-server traffic or the Vital Connect apps, you should prepare for
429(Too Many Requests) responses from the Vital API as a result of rate limiting. IETF Draft compliant rate limit headers would be included in
429(Too Many Requests) responses. Though in absence of the headers, you can fallback to the assumption that the Vital API rate limit are minute-based.
If you use Vital Mobile SDKs with API Key authentication, any Mobile SDK data push traffic competes for rate limit quota against your server-to-server traffic. Vital Sign-In Token avoids this caveat, since SDK installations would be authenticated to the Vital API as individual Vital users rather than a Vital team (API Key) and thereby enjoying a per-user rate limit.
API Key in Mobile SDKs are no longer recommended for production usage, though Vital would continue to support it for early evaluation in Sandbox. Production mobile apps are encouraged to migrate to Vital Sign-In Tokens as soon as possible.