StephenBlackWasAlreadyTaken/share_send_app_endpoints.md

Last active May 17, 2024 02:20

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/StephenBlackWasAlreadyTaken/adb0525344bedade1e25.js"></script>
Save StephenBlackWasAlreadyTaken/adb0525344bedade1e25 to your computer and use it in GitHub Desktop.

Download ZIP

DexcomShare Endpoints for the Uploader App

Raw

share_send_app_endpoints.md

https://share1.dexcom.com/

these are the calls used by the dexcom uploader app
these are in no particular order!
User-Agent: Dexcom%20Share/3.0.2.11 CFNetwork/672.0.2 Darwin/14.0.0

General

Read Dexcoms System time clock

GET

/ShareWebServices/Services/General/SystemUtcTime

Body:

  none

Response:

  {
    "DateTime":"\/Date(1426767421178)\/",
    "OffsetMinutes":0
  }

Session Related

Login to a Publisher Account (Get a Session ID):

POST

/ShareWebServices/Services/General/LoginPublisherAccountByName

Body:

  {
    "accountName":"yourlogin",
    "applicationId":"d8665ade-9673-4e27-9ff6-92db4ce13d13",
    "password":"yourpassword"
  }

Response:

  "e3e3e6a5-coolsessionid-bro”

Authenticate Publisher Account (Get a Session ID):

POST

/ShareWebServices/Services/General/AuthenticatePublisherAccount

Body:

  {
    "accountName":"yourlogin",
    "applicationId":"d8665ade-9673-4e27-9ff6-92db4ce13d13",
    "password":"yourpassword"
  }

Response:

  "e3e3e6a5-coolsessionid-bro”

Check if the Reciever is assigned to your account

POST

/ShareWebServices/Services/Publisher/CheckMonitoredReceiverAssignmentStatus?sessionId={YourSessionId}&serialNumber={YourSerialNumber}/

Body:

  none

Response:

  `AssignedToYou` or `NotAssigned` (plaintext)

Assign the reciever to you (If you got NotAssigned or something else)

POST

/ShareWebServices/Services/Publisher/ReplacePublisherAccountMonitoredReceiver?sessionId={YourSessionId}&serialNumber={YourSerialNumber}

Body:

  none

Response:

  No Idea, Someone please tell me, if you assign one to yourself that was
  already yours you get a 500 error

Check remote monitoring session is valid

POST

/ShareWebServices/Services/Publisher/IsRemoteMonitoringSessionActive?sessionId={YourSessionId}

Body:

  none

Response:

  `true` or `false` (plaintext)

Start remote monitoring session

POST

/ShareWebServices/Services/Publisher/StartRemoteMonitoringSession?sessionId={yoursessionid}&serialNumber={YourdexcomSerialNumber}

Body:

  none

Response:

  just a status, `200`

Stop a remote monitoring session

POST

/ShareWebServices/Services/Publisher/StopRemoteMonitoringSession?sessionId={YourSessionId}

Body:

  none

Response:

  just a status, `200`

Update Publisher information (might be fun for sending them cute messages?)

POST

/ShareWebServices/Services/Publisher/UpdatePublisherAccountRuntimeInfo

Body:

  {
    "sessionId":"YourSessionId",
    "runtimeInfo":
      {
        "DeviceManufacturer":"Apple",
        "DeviceModel":"iPhone5,2",
        "DeviceOsVersion":"7.0.2",
        "AppVersion":"3.0.2.11",
        "AppName":"DexcomShare",
        "AppNumber":"SW10569",
        "DeviceOsName":"iPhone OS"
      }
  }

Response:

  just a status, `200`

Data!

Post BG Data

POST

/ShareWebServices/Services/Publisher/PostReceiverEgvRecords?sessionId={yourSessionId}

Body:

{
  "SN":"YourSerialNumber",
  "Egvs":[
      {
        "Trend":4,
        "ST":"\/Date(1426783106000)\/",
        "DT":"\/Date(1426754317000)\/",
        "Value":97
      }
    ],
  "TA":-14365
}

Response:

  just a status, `200`

ST system time, DT display time, TA is a time offset, multiply by 1000 and subtract it from the time (so subtracting a negative in this example, which is really adding)

Read BG Data

POST

/ShareWebServices/Services/Publisher/ReadPublisherLatestGlucoseValues?sessionId={YourSessionId}&minutes=1440&maxCount=1

Body:

  none

Response:

[
  {
    "DT":"\/Date(1426780716000-0700)\/",
    "ST":"\/Date(1426784306000)\/",
    "Trend":4,
    "Value":99,
    "WT":"\/Date(1426769941000)\/"
  }
]

Invite Follower Related

Check if someone is already a contact of yours

POST

/ShareWebServices/Services/Publisher/DoesContactExistByName?sessionId={YourSessionId}&contactName={NameOfNewFollower}

Body:

  none

Response:

  `true` or `false` (plaintext)

Create a contact if they dont already exist

POST

/ShareWebServices/Services/Publisher/CreateContact?sessionId={YourSessionId}&contactName={FollowerName}&emailAddress={FollowerEmail}

Body:

  none

Response:

  a contact id (needed for the invite!), `123312-af1341123-coolid`

Send the invite!!

POST

/ShareWebServices/Services/Publisher/CreateSubscriptionInvitation?sessionId={YourSessionId}&contactId={ContactId}

Body:

  {
    "AlertSettings":{
      "HighAlert":{
        "MinValue":200,
        "AlarmDelay":"PT1H",
        "AlertType":1,
        "IsEnabled":false,
        "RealarmDelay":"PT2H",
        "Sound":"High.wav",
        "MaxValue":401
      },
      "LowAlert":{
        "MinValue":39,
        "AlarmDelay":"PT30M",
        "AlertType":2,
        "IsEnabled":false,
        "RealarmDelay":"PT2H",
        "Sound":"Low.wav",
        "MaxValue":70
      },
      "FixedLowAlert":{
        "MinValue":39,
        "AlarmDelay":"PT0M",
        "AlertType":3,
        "IsEnabled":true,
        "RealarmDelay":"PT30M",
        "Sound":"UrgentLow.wav",
        "MaxValue":55
      },
      "NoDataAlert":{
        "MinValue":39,
        "AlarmDelay":"PT1H",
        "AlertType":4,
        "IsEnabled":false,
        "RealarmDelay":"PT0M",
        "Sound":"NoData.wav",
        "MaxValue":401
      }
    },
    "Permissions":1,
    "DisplayName":"{YourAccountDisplayName}"
  }

Note that permissions 1 means they can view your graph data

Response:

  a subscriber id for the person you invited! (Usefull for updating their
  subscription permissions and such) `793312-af1341123-coolid`

List all Followers

POST

/ShareWebServices/Services/Publisher/ListPublisherAccountSubscriptions?sessionId={YourSessionId}

Body:

  none

Response:

  [
    {
      "ContactId":"FollowersContactId",
      "ContactName":"FollowersName",
      "DateTimeCreated":{
        "DateTime":"\/Date(1437101121008)\/",
        "OffsetMinutes":0
      },
      "DateTimeModified":{
        "DateTime":"\/Date(1437101121008)\/",
        "OffsetMinutes":0
      },
      "DisplayName":"YourDisplayName",
      "InviteExpires":{
        "DateTime":"\/Date(1437705921008)\/",
        "OffsetMinutes":0
      },
      "IsEnabled":false,
      "IsMonitoringSessionActive":true,
      "Permissions":1,
      "State":2,
      "SubscriberId":"00000000-0000-0000-0000-000000000000",
      "SubscriptionId":"theirSubscriptionIdIsuppose?"
    }
  ]

note: maybe we can use this subscription id to send our own custom invites to followers

Delete Follower

POST

/ShareWebServices/Services/Publisher/DeleteContact?sessionId={YourSessionId}&contactId={followersContactId}

Body:

  none

Response:

  just a status, `200`

Still undocumented but logged if you need info on it (Not adding it all here out of lazziness)

getting the image
getting the subscription display name
getting the subscription email address
reading the contact list
sending changes to the contacts Permissions
removing a contact
follower aknowledging alarms
follower reading invitation info
follower accepting invitation
follower updating runtimeInfo
folower listing all their subscriptions
read subscription alerts

CURL examples for getting values from Dexcom

curl -v \
  -H "Accept: application/json" -H "Content-Type: application/json" \
  -H "User-Agent: Dexcom Share/3.0.2.11 CFNetwork/711.2.23 Darwin/14.0.0" \
  -X POST https://share1.dexcom.com/ShareWebServices/Services/General/LoginPublisherAccountByName \
  -d '{"accountName":"YOURLOGIN","applicationId":"d8665ade-9673-4e27-9ff6-92db4ce13d13","password":"YOURPASSWORD"}'

which should recieve a response like

"8c1234deb-323c-4e9d-8362-39cfa23499ed"

which you use to get values like

curl -v \
  -H "Content-Length: 0" -H "Accept: application/json" \
  -H "User-Agent: Dexcom Share/3.0.2.11 CFNetwork/672.0.2 Darwin/14.0.0" \
  -X POST "https://share1.dexcom.com/ShareWebServices/Services/Publisher/ReadPublisherLatestGlucoseValues?sessionId=8c1234deb-323c-4e9d-8362-39cfa23499ed&minutes=1440&maxCount=1"

jazeee commented Jan 6, 2024 via email

Just a thought. The string with the periods sounds like a jwt token. You can test the string on jwt.io

…

On Fri, Jan 5, 2024, 11:19 PM Okan Sengun ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ :-) Glad you like it, @MooseV2 <https://github.com/MooseV2> Have you considered to develop any Garmin apps yourself? Indeed -- the first thing I did when I got the Garmin was mess around with the SDK since I wanted to view Dexcom on it. I was happy to see it already existed! I base64 encoded this string: [...] Okay, so I've discovered a bit more about the body: 1. You have to send it with quotes around the base64 string. "eyJUaW1lc3RhbXAiOiIyMDIzLTExLTE" instead of eyJUaW1lc3RhbXAiOiIyMDIzLTExLTE 1. There are three sections separated by periods (.). Part 1: {"IsZip":0,"Timestamp":"2023-11-12T05:36:37Z","AccId":"14edc443-6d10-40a0-ae1c-f564b0ef9ebe","AppId":"d89443d2-327c-4a6f-89e5-496bbb0317db"} Part 2: {"SubscriptionLastSyncTimestamps":[{"SubscriptionId":"3e39166b-98be-416d-9ee9-a4ed3d89d0d8","LastSyncTimestamps":{"Glucose":"2023-11-08T22:49:04Z"}}]} Part 3: Some sort of HMAC? This will probably be tricky to decode. Here are some examples: L7DxdcLz0ntiU5p2W0vvsd N4r7x-9dyEJ03YqsTXHL5d 95eNUm8_1KwjUaW2YLg8Td So base64 the first two and concatenate (important: remove the equal '=' characters from the base64 string), and you'll end up with a string like this (again, wrapped in quotation marks): "eyJJc1ppcCI6MCwiVGltZXN0YW1wIjoiMjAyMy0xMS0xMlQwNTozNjozN1oiLCJBY2NJZCI6IjE0ZWRjNDQzLTZkMTAtNDBhMC1hZTFjLWY1NjRiMGVmOWViZSIsIkFwcElkIjoiZDg5NDQzZDItMzI3Yy00YTZmLTg5ZTUtNDk2YmJiMDMxN2RiIn0.eyJTdWJzY3JpcHRpb25MYXN0U3luY1RpbWVzdGFtcHMiOlt7IlN1YnNjcmlwdGlvbklkIjoiM2UzOTE2NmItOThiZS00MTZkLTllZTktYTRlZDNkODlkMGQ4IiwiTGFzdFN5bmNUaW1lc3RhbXBzIjp7IkdsdWNvc2UiOiIyMDIzLTExLTA4VDIyOjQ5OjA0WiJ9fV19.T_t7EeMlW32KE5dvVpgzvd" The HMAC part is Base64URL encoded, which is basically just Base64 but "+" becomes "-" and "/" becomes "_". When decoded, it becomes 16 bytes. If you send the wrong value here, you get the error: 'Code': 'IntegrityCheckFailed', 'Message': "Request signature doesn't match device key. [...]" Could be related to either a) the device key found from /ShareWebServices/Services/Subscriber/DeviceKeys, or b) the device token from [...]/Subscriber/ReadSubscriber2? It also has something to do with the Account ID, and I've been able to glean this nonworking pseudocode: import hmacimport hashlibimport base64import uuid def generate_hmac(data, key): """Generate a SHA256 HMAC and encode as base64.""" hmac_obj = hmac.new(key.encode("utf-8"), data.encode("utf-8"), hashlib.sha256) return base64.b64encode(hmac_obj.digest()).decode().replace("=", "") def create_trailing_hmac(account_id, object2): account_id_str = str(account_id) object2_str = str(object2) intermediate_hash = generate_hmac(account_id_str + object2_str, object2_str) final_hash = generate_hmac(account_id_str + intermediate_hash, object2_str) result = account_id_str + final_hash return result # Example usageaccount_id = uuid.UUID("14edc443-6d10-40a0-ae1c-f564b0ef9ebe")object2 = uuid.UUID("b85a7d6e-ede9-46c7-a6ac-fb764c31f9b6") # Not sure? first, second, mac = string.split(".")print(generate_hmac(first + second, create_trailing_hmac(account_id, object2))) I'm staring at a disassembly but obviously I'm missing something since that code doesn't work. HMACs are usually 64 bytes but the request MAC is 16 bytes... Hmm. Anyway, maybe this will help someone... I am looking for a solution to extract the very last insulin injection event (type of insulin, amount of injection and the timestamp) from Dexcom. @MooseV2 <https://github.com/MooseV2>, I am wondering if the endpoint you captured can be used for that purpose, any chance you could help me on that? There is an official endpoint already published in their public API's but I have been already using pydexcom for a long while and not willing to start from scratch. Thanks — Reply to this email directly, view it on GitHub <https://gist.github.com/StephenBlackWasAlreadyTaken/adb0525344bedade1e25#gistcomment-4819672> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABK6O2BZ7QVDPZCRUOBZT7TYND3JZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVAZDANJSGI3TCONHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

KajBjurman commented Jan 6, 2024 •

edited

It's kind of a JWT, but they either have a bug, or don't care about being fully compliant. The header doesn't static algorithm, so we don't know how the produce the signature, but the signature is also encoded incorrectly. The signature should be encoded in base 64, without padding, and with "url safe" mode, but we can see here, and I also saw in one of my captures, that the signature contained an underscore, which is invalid.

fsallstrom commented Jan 9, 2024

Just a small update: it appears the Dexcom outage has been resolved and the old API is working again. I'll keep trying to reverse engineer the new API since I suspect they may push towards it, but is anyone still experiencing issues with the old one?

Nb: It's a bit ridiculous that a bioengineering/health company can have a two month outage, especially without any sort of timeline or communication... at my company I would be fired faster than I could explain why we only had 80% uptime on a relatively critical production component.

I don't get any more emails from users about the issue so it seems to be resolved across all/most markets.

osa1 commented Apr 25, 2024

Sorry for the noise -- it turns out Dexcom Android app logged me out from Dexcom services and stopped uploading data.

I also fixed my script in the meantime. Here's a working version: https://github.com/osa1/Dextrack/blob/main/tools/get_bg_levels.py

(Deleted my original comment to avoid adding noise to this useful page)

StephenBlackWasAlreadyTaken/share_send_app_endpoints.md

https://share1.dexcom.com/

General

Read Dexcoms System time clock

Session Related

Login to a Publisher Account (Get a Session ID):

Authenticate Publisher Account (Get a Session ID):

Check if the Reciever is assigned to your account

Assign the reciever to you (If you got NotAssigned or something else)

Check remote monitoring session is valid

Start remote monitoring session

Stop a remote monitoring session

Update Publisher information (might be fun for sending them cute messages?)

Data!

Post BG Data

Read BG Data

Invite Follower Related

Check if someone is already a contact of yours

Create a contact if they dont already exist

Send the invite!!

List all Followers

Delete Follower

Still undocumented but logged if you need info on it (Not adding it all here out of lazziness)

CURL examples for getting values from Dexcom

jazeee commented Jan 6, 2024 via email

KajBjurman commented Jan 6, 2024 • edited

fsallstrom commented Jan 9, 2024

osa1 commented Apr 25, 2024

KajBjurman commented Jan 6, 2024 •

edited