Mobile SDK authentication

To authenticate a given patient on the Nabla mobile SDK, you'll need to provide the mobile SDK with access and refresh tokens for this patient.

Since getting new tokens for a patient is a highly sensitive task, you should never generate these tokens directly from your app, but instead generate them from backend (therefore acting as a proxy to access Nabla's server API securely) and have it return them to your app.

Understanding the mobile SDK patient authentication flow

The patient authentication flow is the following:

  1. Nabla's mobile SDK needs to authenticate the patient. It calls the SessionTokenProvider method, which you are responsible to implement (see our SDK docs for more details)
  2. Your SessionTokenProvider implementation makes a call to your backend
  3. Your backend receives this call, and calls the Nabla server API to get the access and refresh tokens for that patient (step detailed right after)
  4. Your backend responds to your app with the tokens
  5. The mobile SDK now has knowledge of the patient's tokens and can make patient-scoped calls to the Nabla API

Getting patient tokens from the Nabla API

As seen in the previous section, at step 3, your backend needs to get access and refresh tokens for the patient from the Nabla server API.

To do so, your backend should call the jwt/patient/authenticate/:user_id server API endpoint, where the :user_id parameter is the id of the Nabla patient for which you want the access and refresh tokens.

For example, doing this call with curl would be done this way:

curl{user_id} -H "Authorization: Bearer <SERVER_API_KEY_TOKEN>"

The API will return an access and a refresh token for the patient.


To get a server API key token, please refer to the Getting started with the API page.


Unlike the server API key token, the JWT tokens generated here only provide access to resources for that particular patient.

Common pitfalls

Do not make this API call from your app

Since calling the Nabla server API requires a server API token, you should never do this call from your app, as it would mean sending or storing a server API token to your app, which would be a serious security vulnerability.

Indeed, the server API key allows to access (read & write) all of your organization's data, so it should never leave your backend.

Do not cache the patient tokens in your backend

The mobile SDK will cache locally the patient's tokens, and will call SessionTokenProvider, and therefore your backend, only when it needs it, which is:

  • the first time your authenticate the patient on the mobile SDK
  • when the cached refresh token has expired (which is rare)

So you should never do any caching on your backend when returning tokens to the app, as when the app needs them, they need to be fresh.