API features

API features

Is there a subscription or real-time notification API?

Yes, see Notification API.

Is there an upload API?

There are no short-term plans to support posting data at the moment. This may change in the future though.

Are the records available via API?

The all time, monthly and weekly records are currently client-only.

Are multiple callback/redirect uris supported?

Maximum of three redirect uris can be specified per app.


What is the difference between authorization code, access token and refresh token?

The ‘authorization code’ is used to fetch an ‘access token’ from our OAuth endpoint as part of the authentication flow. Usually one doesn’t need to store the code, as it expires in a few minutes. The ‘access token’ should be stored (attached to the user account in your system) and used in API calls. Make sure you store the ‘refresh token’ also, as it is used to get a new access token without the user having to reauthorize your app.

How can the user revoke access?

Moves provides a UI in the app to revoke access to apps. Revocation results in failing API calls and unsuccessful token refresh responses.

How long does it take for access tokens to expire?

Access tokens are currently valid for 6 months. The expiry times are subject to change, so you shouldn’t rely on this being the exact duration. You can use the /oauth/v1/tokeninfo endpoint to query the expiry status of an access token.
If the access token expires, API calls will return 401 Not Authorized responses. Your code should catch these cases and make a refresh token request to get a new access token and refresh token and then re-issue the API call. If refreshing fails, it probably means that the user has revoked access to your app.


Can the API be used without a server?

You should have a server component for any publicly usable apps. There is nothing preventing using the API from client-side only though, and it should be fine for personal projects.

Why does the API return one day too much or null days ?

The timespan for a day depends on the users current timezone, and we accept as valid ‘today’ when the date has started in UTC+14. So in the weekly and monthly queries there can be extra ‘null’ day for some users, if the day hasn’t yet changed in the users current timezone. This should get fixed with proper timezone support.
There can also be null days in the past if the user hasn’t been running Moves on those days and for current day if the user hasn’t used Moves yet and/or there has not been a working internet connection.


/oauth/v1/access_token returns 425 Method Not Allowed

Make sure you are using a POST request.

/oauth/v1/access_token returns invalid_grant error

invalid_grant can happen if either

1) the code in the request is not valid or
2) the code has expired (it’s valid for 5 minutes currently) or
3) the code has been revoked, because it was already used in an access token request (both successful and unsuccessful requests will revoke the code) or
4) you are missing the redirect_uri parameter when it’s required.

/oauth/v1/authorize returns invalid_scope error

You must specify at least one explicit non-default scope.

/oauth/v1/authorize returns invalid_request error

Make sure that the redirect_uri parameter matches the redirect uri configured for your app.