Yes, see Notification API.
There are no short-term plans to support posting data at the moment. This may change in the future though.
The all time, monthly and weekly records are currently client-only.
Maximum of three redirect uris can be specified per app.
The ‘authorization code’ is used to fetch an ‘access token’ from our OAuth endpoint as part of the authentication flow. Usually one doesn’t need to store the code, as it expires in a few minutes. The ‘access token’ should be stored (attached to the user account in your system) and used in API calls. Make sure you store the ‘refresh token’ also, as it is used to get a new access token without the user having to reauthorize your app.
Moves provides a UI in the app to revoke access to apps. Revocation results in failing API calls and unsuccessful token refresh responses.
Access tokens are currently valid for 6 months. The expiry times are subject to change, so you shouldn’t rely on this being the exact duration. You can use the /oauth/v1/tokeninfo endpoint to query the expiry status of an access token.
If the access token expires, API calls will return 401 Not Authorized responses. Your code should catch these cases and make a refresh token request to get a new access token and refresh token and then re-issue the API call. If refreshing fails, it probably means that the user has revoked access to your app.
You should have a server component for any publicly usable apps. There is nothing preventing using the API from client-side only though, and it should be fine for personal projects.
The timespan for a day depends on the users current timezone, and we accept as valid ‘today’ when the date has started in UTC+14. So in the weekly and monthly queries there can be extra ‘null’ day for some users, if the day hasn’t yet changed in the users current timezone. This should get fixed with proper timezone support.
There can also be null days in the past if the user hasn’t been running Moves on those days and for current day if the user hasn’t used Moves yet and/or there has not been a working internet connection.
Make sure you are using a POST request.
invalid_grant can happen if either
1) the code in the request is not valid or
2) the code has expired (it’s valid for 5 minutes currently) or
3) the code has been revoked, because it was already used in an access token request (both successful and unsuccessful requests will revoke the code) or
4) you are missing the redirect_uri parameter when it’s required.
You must specify at least one explicit non-default scope.
Make sure that the redirect_uri parameter matches the redirect uri configured for your app.