Vital Sign-In Token

In the Vital Sign-In Token scheme, each mobile app installation signs in with Vital Mobile SDK as an individual user in your Team. The app installation would be granted only Vital API access scoped to that specific user.

Instead of hardcoding a Vital API Key, your app would request your own backend to generate a Vital Sign-In Token for the user, through your own API authentication and authorization systems.

In this model, your Vital API Keys are kept strictly as a server-side secret.

Persistence

The signed-in user is persistent across app relaunch and device reboots.

Access Scope

Only user-level resources of the signed-in user can be accessed.

Overview

Case Study: A typical Backend - Mobile App flow

1

Your app -> Your identity provider

Your end user signs in with your Identity Provider — a separate IdP, or your own API acting as one — through password authentication, Social Login, Single Sign-On (SSO) or any other authentication methods.

2

Your app -> Your backend API

Once your user has successfully authenticated, your app is issued with token secrets for accessing your backend API. Your app stores these token secrets securely.

It then makes some API requests to your backend API, in order to gather all information required to setup your app into an authenticated state.

Among these API requests, one would be requesting your backend API to issue a Vital Sign-In Token for your authenticated user.

3

Your backend service <-> Vital API

Your backend API receives and validates the token issuance request. Once validated, your backend service:

  • Look up the Vital User associated with this authenticated user;

  • If one does not yet exist, call the Create User endpoint to create a Vital User; and

  • Call the Create Sign-In Token endpoint to obtain a Vital Sign-In Token for this Vital user.

Only this step would use a Vital API Key. Because this step happens in your backend service, this enables you to keep the Vital API Key strictly as a server-side secret.

curl --request POST
  --url '{{BASE_URL}}/v2/user/{{USER_ID}}/sign_in_token'
  --header 'X-Vital-API-Key: <YOUR-API-KEY>'

Your backend API then responds to your app with the obtained Vital Sign-In Token:

{
  "user_id": "e209947b-323e-4108-8e18-1518b80da0bd",
  "sign_in_token": "XYZ=="
}
4

Your backend API -> Your app

Your app receives a response from your backend API, which includes the Vital Sign-In Token for the authenticated user.

Your app then calls the Vital Mobile SDK signIn method with the Vital Sign-In Token:

import VitalCore

let response: MyAPIResponse = // ....

do {
  try await VitalClient.signIn(withRawToken: response.signInToken)

  print("Signed in with Vital successfully")
} catch let error {
  print("Error signing in with Vital", error)
}

signIn() throws an error when you have already signed in with the Vital SDK.

You can inspect the Core SDK status at any time for troubleshooting. You can also rely on the Core SDK status to reconcile differences between your own user session state and Vital SDK sign-in.

5

Voila!

The Vital Mobile SDK is now signed-in with the Vital User associated with your authenticated user. You can now proceed to use all the Vital SDK features.

Vital API Keys

API Key is discouraged for production mobile apps, since it would be distributed as cleartext. API Key support is intended only for customer early evaluation in Sandbox.

Use Vital Sign-In Token whenever possible.

Vital Mobile SDK can be configured to authenticate using API Key alongside a target user ID.

import VitalCore

VitalClient.configure(
  apiKey: "sk_us_...",
  environment: .sandbox(.us)
)
VitalClient.setUserId(UUID(uuidString: "ccd6f98d-3a2a-433b-a114-8fe064f301ed")!)

When running on iOS, the SDK must be explicitly configured before other SDK methods can be invoked.

Alternatively, follow the Apple HealthKit guide to enable SDK Automatic Configuration during app launch. This auto-configures the SDK using the last known configuration you supplied — including but not limited to the API Key, the environment and the target User ID. Not only is this a prerequisite to enable HealthKit Background Delivery, this allows you also to only call configure(...) and setUserId(...) once to “sign-in” the user persistently when using the Vital API Key scheme.

Sign Out

Regardless of the authentication scheme you used, you can sign out with the Vital SDK using signOut(). This erases any persistent user session and configuration stored by the Vital Core and Health SDKs.

import VitalCore

await VitalClient.shared.signOut()

Migrate from Vital API Keys to Vital Sign-In Tokens

Always use Vital Sign-In Token for your production mobile apps.

An existing app installation signed-in with Vital API Key + User ID can be seamlessly migrated to use Vital Sign-In Tokens.

It is as simple as performing a one-off migration logic during app launch:

1

Condition to migrate

Check whether the Vital SDK status includes useApiKey (i.e., the user is signed in using Vital API Key).

2

Obtain a Vital Sign-In Token

Similar to the new user sign-in flow, your app needs to obtain a Vital Sign-In Token through your backend service.

3

Sign-in with the token

Your app can simply sign-in with the Vital Sign-In Token.

Note that it is unnecessary to reset the SDK beforehand — the SDK signIn method would automatically migrate, as long as the supplied Sign-In Token is compatible with the existing API Key sign-in (i.e., having the same Vital user ID, same Vital environment, and same Vital region).

import VitalCore

if VitalClient.status.contains(.useApiKey) {
  do {
    let response = await callBackend(...)
    try await VitalClient.signIn(withToken: response.signInToken)
  }

    print("Signed in with Vital successfully")
  } catch let error {
    print("Error signing in with Vital", error)
  }
}