HTTP dump of Libre Link Up used in combination with FreeStyle Libre 3

libre-link-up-http-dump.md

LibreLinkUp HTTP-Dump

This document describes the HTTP communication of LibreLinkUp which functions as follower app to receive cgm data. Some data in the responses were masked.

Context

This dump was created on an android device with LibreLinkUp app. Capturing was done with HttpToolkit over adb.

API Url

The global api url is https://api.libreview.io. If you are placed in europe you can use https://api-eu.libreview.io instead.

Headers

The following list includes general purpose headers but also specific ones which are required to get correct responses:

General purpose

'accept-encoding': 'gzip'
'cache-control': 'no-cache'
'connection': 'Keep-Alive'
'content-type': 'application/json'

Specific

The following headers are required and needs to be setted to get correct responses. There might be alternative values which are not known.

'product': 'llu.android'
'version': '4.2.1',

Request Flow

To get cgm data from the api it is required to fire at least three requests:

1. Login and retrieve JWT Token
2. Get connections of patients to get patientId
3. Retrieve cgm data of specific patient

Login

This request expects credentials and will return a JWT Token which is required to call auth-needed endpoints.

Endpoint POST /llu/auth/login

Request Body

{
  "email": "[email protected]",
  "password": "$yOurVerySecretPasSw0rd!"
}

Response

{
  "status": 0,
  "data": {
    "user": {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "firstName": "John",
      "lastName": "Doe",
      "email": "[email protected]",
      "country": "DE",
      "uiLanguage": "de-DE",
      "communicationLanguage": "de-DE",
      "accountType": "pat",
      "uom": "1",
      "dateFormat": "2",
      "timeFormat": "2",
      "emailDay": [
        1
      ],
      "system": {
        "messages": {
          "firstUsePhoenix": 1652399492,
          "firstUsePhoenixReportsDataMerged": 1652399492,
          "lluGettingStartedBanner": 1652399555,
          "lluNewFeatureModal": 1652399526,
          "lluOnboarding": 1652399536,
          "lvWebPostRelease": "3.9.47"
        }
      },
      "details": {},
      "created": 1652399492,
      "lastLogin": 1653140180,
      "programs": {},
      "dateOfBirth": 627609600,
      "practices": {},
      "devices": {},
      "consents": {
        "llu": {
          "policyAccept": 1652399485,
          "touAccept": 1652399485
        }
      }
    },
    "messages": {
      "unread": 0
    },
    "notifications": {
      "unresolved": 0
    },
    "authTicket": {
      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTh9.MdEzdJ3NrpYS4WVAcuy87Gxzk7EJFHzCtei-y7_XXXX",
      "expires": 1668692358,
      "duration": 15552000000
    },
    "invitations": [
      "xxxxxxxxx"
    ]
  }
}

The JWT Token is present in data.authTicket.token and is valid for nearly 6 month which is quite long. This is extremly long and actually you cannot invalidate this token why you should not share it with anyone.

For the next requests you have to set this token in the headers:

'authorization': Bearer [YOUR_JWT_TOKEN]

Get connections

To be able to retrieve cgm data you have to determine the patientId of the person who is sharing his data with you.

Endpoint GET /llu/connections

Response

{
  "status": 0,
  "data": [
    {
      "id": "xxxxx",
      "patientId": "xxxxxxx",
      "country": "DE",
      "status": 2,
      "firstName": "John",
      "lastName": "Doe",
      "targetLow": 70,
      "targetHigh": 130,
      "uom": 1,
      "sensor": {
        "deviceId": "",
        "sn": "xxxxx",
        "a": 1652400270,
        "w": 60,
        "pt": 4
      },
      "alarmRules": {
        "c": true,
        "h": {
          "on": true,
          "th": 130,
          "thmm": 7.2,
          "d": 1440,
          "f": 0.1
        },
        "f": {
          "th": 55,
          "thmm": 3,
          "d": 30,
          "tl": 10,
          "tlmm": 0.6
        },
        "l": {
          "on": true,
          "th": 70,
          "thmm": 3.9,
          "d": 1440,
          "tl": 10,
          "tlmm": 0.6
        },
        "nd": {
          "i": 20,
          "r": 5,
          "l": 6
        },
        "p": 5,
        "r": 5,
        "std": {}
      },
      "glucoseMeasurement": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseItem": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseAlarm": null,
      "patientDevice": {
        "did": "2d97357e-d250-11ec-b409-0242ac110004",
        "dtid": 40068,
        "v": "3.3.1",
        "ll": 65,
        "hl": 130,
        "u": 1653016896,
        "fixedLowAlarmValues": {
          "mgdl": 60,
          "mmoll": 3.3
        },
        "alarms": false
      },
      "created": 1652399545
    }
  ],
  "ticket": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTh9.MdEzdJ3NrpYS4WVAcuy87Gxzk7EJFHzCtei-y7_XXXX",
    "expires": 1668692358,
    "duration": 15552000000
  }
}

The datapart includes all persons who are sharing their data with you. To retrieve cgm data you need data[0].patientId.

Get cgm data

Now both prerequirements (JWT Token and Patient ID) are met and you can retrieve the cgm data.

Endpoint GET /llu/connections/{patientId}/graph

Response

{
  "status": 0,
  "data": {
    "connection": {
      "id": "xxxxxxx",
      "patientId": "xxxxxxx",
      "country": "DE",
      "status": 2,
      "firstName": "John",
      "lastName": "Doe",
      "targetLow": 70,
      "targetHigh": 130,
      "uom": 1,
      "sensor": {
        "deviceId": "",
        "sn": "XXXXXXXXXX",
        "a": 1652400270,
        "w": 60,
        "pt": 4
      },
      "alarmRules": {
        "c": true,
        "h": {
          "on": true,
          "th": 130,
          "thmm": 7.2,
          "d": 1440,
          "f": 0.1
        },
        "f": {
          "th": 55,
          "thmm": 3,
          "d": 30,
          "tl": 10,
          "tlmm": 0.6
        },
        "l": {
          "on": true,
          "th": 70,
          "thmm": 3.9,
          "d": 1440,
          "tl": 10,
          "tlmm": 0.6
        },
        "nd": {
          "i": 20,
          "r": 5,
          "l": 6
        },
        "p": 5,
        "r": 5,
        "std": {}
      },
      "glucoseMeasurement": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseItem": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseAlarm": null,
      "patientDevice": {
        "did": "xxxxxxx",
        "dtid": 40068,
        "v": "3.3.1",
        "ll": 65,
        "hl": 130,
        "u": 1653016896,
        "fixedLowAlarmValues": {
          "mgdl": 60,
          "mmoll": 3.3
        },
        "alarms": false
      },
      "created": 1652399545
    },
    "activeSensors": [
      {
        "sensor": {
          "deviceId": "xxxxxx",
          "sn": "xxxxx",
          "a": 1652400270,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 65,
          "hl": 130,
          "u": 1653016896,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      },
      {
        "sensor": {
          "deviceId": "xxxxx",
          "sn": "xxxxxx",
          "a": 1652399154,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxxxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 70,
          "hl": 250,
          "u": 1652399060,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      },
      {
        "sensor": {
          "deviceId": "xxxxx",
          "sn": "xxxxx",
          "a": 1652391830,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 70,
          "hl": 250,
          "u": 1652396851,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      }
    ],
    "graphData": [
      {
        "FactoryTimestamp": "5/21/2022 1:39:50 AM",
        "Timestamp": "5/21/2022 3:39:50 AM",
        "type": 0,
        "ValueInMgPerDl": 117,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 117,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:44:51 AM",
        "Timestamp": "5/21/2022 3:44:51 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:49:50 AM",
        "Timestamp": "5/21/2022 3:49:50 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:54:51 AM",
        "Timestamp": "5/21/2022 3:54:51 AM",
        "type": 0,
        "ValueInMgPerDl": 116,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 116,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:59:50 AM",
        "Timestamp": "5/21/2022 3:59:50 AM",
        "type": 0,
        "ValueInMgPerDl": 116,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 116,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:04:50 AM",
        "Timestamp": "5/21/2022 4:04:50 AM",
        "type": 0,
        "ValueInMgPerDl": 118,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 118,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:09:50 AM",
        "Timestamp": "5/21/2022 4:09:50 AM",
        "type": 0,
        "ValueInMgPerDl": 118,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 118,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:14:51 AM",
        "Timestamp": "5/21/2022 4:14:51 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      }
    ]
  },
  "ticket": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTl9.LK8Ejr2IDKGM7oiObVYMHC8HV2bPcv6obt7UiEFXXXX",
    "expires": 1668692359,
    "duration": 15552000000
  }
}

The last measurement is present in glucoseMeasurement:

{
  "FactoryTimestamp": "5/21/2022 1:38:50 PM",
  "Timestamp": "5/21/2022 3:38:50 PM",
  "type": 1,
  "ValueInMgPerDl": 91,
  "TrendArrow": 3,
  "TrendMessage": null,
  "MeasurementColor": 1,
  "GlucoseUnits": 1,
  "Value": 91,
  "isHigh": false,
  "isLow": false
}

Instead you can find historical measurements in graphData. The data has the same shape as above.

Contact

Selcuk Kekec

E-mail: [email protected]

Yeah, part of me is really annoyed at not capturing everything - but the other half is happy to have fixed my nightscout feed after a power outage.
As it says in an earlier comment, the authtoken is valid for 6 months, so my code almost never calls the earlier stages.

What a great thread and useful information! Thanks to all that contribute. I have been looking to get instant access to my own glucose data as well as a range of values and it seems daunting. All of the data is not "now". I would like to know if anyone has been able to download the "csv" file programmatically? I want to integrate all relevant information into my app. The CSV file is what I want to use. I just don't want to have to download it manually and have my app post process it. I would like for it to work automatically. I was wondering if anybody is successful in getting data from "notifications" request and "config" request. "notifications" seems to want a "connectionId" which I cannot find from the data I receive from abbott. I am not sure if I am running the "config" request right. The URL is "https://api.libreview.io/llu/config/country" Maybe it needs to be "https://api.libreview.io/llu/config/us"? Any help would be greatly appreciated. By the way I have done an app in C++ using Qt.

I would like to know if anyone has been able to download the "csv" file programmatically?

I looked at this but the problem is that the api call (an export post request) requires a captcha response - in other words you have to solve the captcha before you can request the csv.

@sgmoore That is true.

I am not sure if I am running the "config" request right. The URL is "https://api.libreview.io/llu/config/country"

https://api.libreview.io/llu/config/country?country=us

That's a simple get request without validation etc, so you can just click on that link to test it.

notifications" seems to want a "connectionId" which I cannot find from the data I receive from abbott

I have not tried that, but I would assume this is a patientID from one of the connections you get from back when you call get llu/connections (which should be documented at the start of this gist).

@sgmoore thank you for the first one. It works now. Don't know how I missed that. I will try the second one in a sec...

I used my patient id for the notifications request and got "Content Not Found Error" from Qt's error response class.

I would like to know if anyone has been able to download the "csv" file programmatically?

I looked at this but the problem is that the api call (an export post request) requires a captcha response - in other words you have to solve the captcha before you can request the csv.

I get this but maybe I can intercept this in my app and then pass the "proof" back to libreview?

I have been using this successfully for some time now, although I've had to set the version header to 4.10.0 to work. I've received notifications from the LibreLink app that as of October 8th, version 4.15 and below will no longer receive data. I've tried updating the version header to 4.16.0 , but then get the 'missing header' error. Does anyone know what the latest working headers are?

@knolleary I just checked the app I created and I am still using 4.7 version with no issue. I am on Android so I don't know if that matters.

Up until today I'd been using version 4.7, but now see the same issue as reported above:

{"data":{"minimumVersion":"4.16.0"},"status":920}

If I set the version to 4.16, I get:

{"message":"RequiredHeaderMissing"}

This is in the -eu2 region.

@SteveCEvans likewise. As per my previous message, I have been receiving in-app warnings to upgrade client version before the 8th October... ie today. And sure enough, access to the API has stopped working today.

Hopefully someone can figure out the necessary headers to keep this working

Fixed it! I'm using micro python.

Prior to 4.16 my header for fetching graph data was:

        auth_header = {
            'Accept'        : 'application/json',
            'Authorization' : 'Bearer ' + self._user_token,
       }

And now I have:

        auth_header = {
            'Accept'        : 'application/json',
            'Authorization' : 'Bearer ' + self._user_token,
            'Account-Id'    : self._account_id
        }

Where:

            digest = uhashlib.sha256(self._user_id.encode('utf-8')).digest()
            self._account_id = ubinascii.hexlify(digest).decode('utf-8')

I hope that makes sense.

@SteveCEvans well done - can confirm that works for me (intrigued to know how you figured that out...)

For reference, in node.js land, this translates to:

const { createHash } = require('crypto');
const AccountIdHeader = createHash('sha256').update(userId).digest('hex');

userId can be obtained from the response of the initial login HTTP request.

(intrigued to know how you figured that out...)

Perhaps by reading this gist? This change has been rolling out slowly since last year - See https://gist.github.com/khskekec/6c13ba01b10d3018d816706a32ae8ab2?permalink_comment_id=5330300#gistcomment-5330300

@sgmoore ha - good point. So many replies and collapsed comments, I had missed that.

@SteveCEvans well done - can confirm that works for me (intrigued to know how you figured that out...)

For reference, in node.js land, this translates to:

const { createHash } = require('crypto');
const AccountIdHeader = createHash('sha256').update(userId).digest('hex');

userId can be obtained from the response of the initial login HTTP request.

It was actually mentioned above at https://gist.github.com/khskekec/6c13ba01b10d3018d816706a32ae8ab2?permalink_comment_id=5358133#gistcomment-5358133

@SteveCEvans "I hope that makes sense." Not really. In my version when I get "https://api.libreview.io/llu/connections/" + PATIENT_ID + "/graph", my headers have "Accept", "Authorization", "product" and "version". I changed version to 4.16.0 and it gave me a protocol error. So as I understand it you had to add "Account-Id". The value you are sending out is an sha256 checksum of the PATIENT_ID?

That worked for me. Thanks!!

I only send the version header for the login. Once I have the user id and token it’s no longer needed.

@SteveCEvans I'll give that a try.

For all those GOphers:

// getAccountID returns the account ID for the given user ID
func getAccountID(userID string) string {
	hash := sha256.Sum256([]byte(userID))
	return hex.EncodeToString(hash[:])
}

I struggled with URL's, but I got it to work.
So I summarize here.
(I live in Europe)
To request the jwt token and Patient_ID, I use POST to "https://api-eu.libreview.io/llu/auth/login"
For client info including latest glucose level, I use GET to "https://api-eu.libreview.io/llu/connections/"
where I use headers:
headers = {
"Accept": "application/json",
"product": "llu.android",
"version": "4.16",
"Authorization": f"Bearer {jwt_token}",
"Account-Id" : Account_ID
}

Where Account_ID is the SHA256 digest of the Patient_ID.
I am very happy with the contributions from this community!

@gjkoolen I will have to try this as my tool is broken now on getting user information. Funny situation that my tablet doesn't seem to be affected. It may have something to do with what whatever version of Android I am running?

So from what I am seeing the url "https://api.libreview.io/user" is not being called any more?

I was folling this order:
http://api.libreview.io/llu/auth/login (this gets the TOKEN)
http://api.libreview.io/user (this gets DEVICE, EMAIL, FIRSTNAME, LASTNAME, PATIENT_ID)
http://api.libreview.io/account (I think this is where we get an Account_Id)
http://api.libreview.io/llu/connections (Here is where we are suppose to use the encyrpted Account_Id)
http://api.libreview.io/llu/connections/<PATIENT_ID>/graph
http://api.libreview.io/llu/connections/<PATIENT_ID>/logbook
http://api.libreview.io/llu/notifications/settings/<CONNECTION_ID> (Doesn't work for me)
http://api.libreview.io/llu/config/country?country=us

Mine crashes on "user" with a 302 error. So I need the PATIENT_ID/Account_ID before I actually get it from "user". Confusing.

@MrAda

http://api.libreview.io/user (this gets DEVICE, EMAIL, FIRSTNAME, LASTNAME, PATIENT_ID)
http://api.libreview.io/account (I think this is where we get an Account_Id)

I never used either of these (nor seen them used anywhere).

As you can see from the very first message in this gist, step 1 will normally¹ return a response with your user details , looking something like

{
  "status": 0,
  "data": {
    "user": {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "firstName": "John",
      ...

and it is this id which you need to encrypt for use with llu/connections etc.

Footnotes

1. I say normally, because sometimes the response from step 1 is a redirect to an intermediate step (like accepting new Terms and Conditions etc) and you need to perform another api post to complete these step(s) until you get the full response. If your software does not handle those intermediate steps, you may have to log into the official LibreLinkup app in order to get passed that stage. ↩

Thanks @sgmoore
In addition: after Oct 8, I had to start my LibreLinkUp Android app, to read and accept the new terms of use.
After that, I got correct responses from my https requests.

Thanks @sgmoore In addition: after Oct 8, I had to start my LibreLinkUp Android app, to read and accept the new terms of use. After that, I got correct responses from my https requests.

Gosh that worked! my code is working again.

@sgmoore I like that you have a simpler interface. I will look into it.

@sgmoore I got things to work again. Your suggestion helped a lot. Do I new that new header "Account-Id" for every command after logging in or only on connections?

@MrAda

I use "Account-Id" for every command after logging in.