Authentication
Authentication
MTH Health uses a two-tier authentication system. API keys authenticate your application for user management, while user tokens authenticate individual users for their scoped data operations.
Two-tier authentication
The API distinguishes between two types of credentials, each granting access to different sets of endpoints:
| Credential | Used for | How to obtain |
|---|---|---|
| API Key | User management (create, read, update, delete users) | Created in the admin portal, scoped to an app |
| User Token | Connections, journal entries, scores, and other user-scoped operations | Returned when creating or re-creating a user, or via rotate-token endpoint |
Both credential types are passed in the Authorization header using the Bearer scheme. For compatibility during development, the API also accepts the legacy X-App-Api-Key and X-User-Token headers, but Authorization: Bearer ... is the preferred long-term contract.
Authorization: Bearer YOUR_API_KEY_OR_USER_TOKENAPI Keys
API keys authenticate your application at the server level. They are used exclusively for user management operations -- creating, reading, updating, and deleting users.
Creating an API key
Follow these steps to create a new API key:
Open the Admin Portal
Sign in to the Admin Portal and select your tenant and application.
Navigate to API Keys
In the left sidebar, click API Keys. This page lists all existing keys for the selected application.
Create a new key
Click Create API Key. Give the key a descriptive name (e.g., "Production Backend").
Copy your key
After creation, the full API key is displayed once. Copy it and store it securely -- it cannot be retrieved again. If lost, revoke the key and create a new one.
Using an API key
Include the API key in the Authorization header for all user management requests:
curl -X POST \ https://health-api.movetohappiness.com/api/v1/users \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "externalUserId": "user-123", "locale": "en-US", "timezone": "Europe/Brussels" }'
If a request is made without a valid key, or to an endpoint that requires a user token instead, the API returns a 401 Unauthorized response.
User Tokens
User tokens authenticate individual users and grant access to their scoped data. They are used for connections management, nutrition journaling, health scores retrieval, and any other user-specific operations. User tokens authenticate the individual user making the request.
For nutrition journaling, the user token is also what you use to create dedicated Water and Coffee entries in addition to meals and generic drinks.
Obtaining a user token
A user token is automatically generated and included in the response when you create a user via POST /api/v1/users. That endpoint is idempotent: it returns 201 Created for a new user, or 200 OK if the externalUserId already exists and a fresh token is issued for the existing user. In both cases, the token appears in the token field:
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"appId": "e5f6g7h8-i9j0-1234-klmn-op5678901234",
"externalUserId": "user-123",
"status": "Active",
"token": "usr_tok_abc123def456ghi789...",
...
}Store this token securely in your backend. You will pass it as a Bearer token for all user-scoped API calls.
Using a user token
Include the user token in the Authorization header for connections, journal, and scores requests:
curl -X GET \ "https://health-api.movetohappiness.com/api/v1/scores/daily?from=2026-03-10&to=2026-03-15" \ -H "Authorization: Bearer usr_tok_abc123def456ghi789..."
curl -X POST \ https://health-api.movetohappiness.com/api/v1/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890/journal-entries \ -H "Authorization: Bearer usr_tok_abc123def456ghi789..." \ -H "Content-Type: application/json" \ -d '{ "entryKind": "Coffee", "nutrients": { "caffeineMg": 95, "volumeMl": 240 } }'
Valid journal entryKind values are Meal, Drink, Water, and Coffee.
Rotating a user token
If a user token is compromised or you want to rotate it as a security measure, use the rotate-token endpoint. This invalidates the old token and returns a new one:
curl -X POST \ https://health-api.movetohappiness.com/api/v1/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890/rotate-token \ -H "Authorization: Bearer YOUR_API_KEY"
{
"token": "usr_tok_new123xyz456abc789..."
}Security best practices
Never expose API keys or user tokens in client-side code, mobile apps, or browser network requests. Always make MTH Health API calls from your backend server.
All API communication must use HTTPS. Requests over plain HTTP are rejected. This ensures credentials and health data are encrypted in transit.
Use the rotate-token endpoint to periodically rotate user tokens. For API keys, create new keys and revoke old ones through the admin portal.
Use API keys only for user management operations from your server. Store user tokens per-user in your database and use them for that user's data operations only.