Skip to content

Instantly share code, notes, and snippets.

Last active December 7, 2024 06:34
Show Gist options
  • Save StephenBlackWasAlreadyTaken/adb0525344bedade1e25 to your computer and use it in GitHub Desktop.
Save StephenBlackWasAlreadyTaken/adb0525344bedade1e25 to your computer and use it in GitHub Desktop.
DexcomShare Endpoints for the Uploader App
  • these are the calls used by the dexcom uploader app
  • these are in no particular order!
  • User-Agent: Dexcom%20Share/ CFNetwork/672.0.2 Darwin/14.0.0


Read Dexcoms System time clock







Session Related

Login to a Publisher Account (Get a Session ID):







Authenticate Publisher Account (Get a Session ID):







Check if the Reciever is assigned to your account






  `AssignedToYou` or `NotAssigned` (plaintext)

Assign the reciever to you (If you got NotAssigned or something else)






  No Idea, Someone please tell me, if you assign one to yourself that was
  already yours you get a 500 error

Check remote monitoring session is valid






  `true` or `false` (plaintext)

Start remote monitoring session






  just a status, `200`

Stop a remote monitoring session






  just a status, `200`

Update Publisher information (might be fun for sending them cute messages?)




        "DeviceOsName":"iPhone OS"


  just a status, `200`


Post BG Data






  just a status, `200`

ST system time, DT display time, TA is a time offset, multiply by 1000 and subtract it from the time (so subtracting a negative in this example, which is really adding)

Read BG Data







Invite Follower Related

Check if someone is already a contact of yours






  `true` or `false` (plaintext)

Create a contact if they dont already exist






  a contact id (needed for the invite!), `123312-af1341123-coolid`

Send the invite!!





Note that permissions 1 means they can view your graph data


  a subscriber id for the person you invited! (Usefull for updating their
  subscription permissions and such) `793312-af1341123-coolid`

List all Followers







note: maybe we can use this subscription id to send our own custom invites to followers

Delete Follower






  just a status, `200`

Still undocumented but logged if you need info on it (Not adding it all here out of lazziness)

  • getting the image
  • getting the subscription display name
  • getting the subscription email address
  • reading the contact list
  • sending changes to the contacts Permissions
  • removing a contact
  • follower aknowledging alarms
  • follower reading invitation info
  • follower accepting invitation
  • follower updating runtimeInfo
  • folower listing all their subscriptions
  • read subscription alerts

CURL examples for getting values from Dexcom

curl -v \
  -H "Accept: application/json" -H "Content-Type: application/json" \
  -H "User-Agent: Dexcom Share/ CFNetwork/711.2.23 Darwin/14.0.0" \
  -X POST \
  -d '{"accountName":"YOURLOGIN","applicationId":"d8665ade-9673-4e27-9ff6-92db4ce13d13","password":"YOURPASSWORD"}' 

which should recieve a response like


which you use to get values like

curl -v \
  -H "Content-Length: 0" -H "Accept: application/json" \
  -H "User-Agent: Dexcom Share/ CFNetwork/672.0.2 Darwin/14.0.0" \
  -X POST "" 
Copy link

Hm, that seems to be similar in structure to a JWT, where the last part should be signature. What if it isn't a signature, but just a hash, possibly with a salt? MD5 is usually only 16 bytes.

Copy link

MooseV2 commented Dec 27, 2023

Just a small update: it appears the Dexcom outage has been resolved and the old API is working again. I'll keep trying to reverse engineer the new API since I suspect they may push towards it, but is anyone still experiencing issues with the old one?

Nb: It's a bit ridiculous that a bioengineering/health company can have a two month outage, especially without any sort of timeline or communication... at my company I would be fired faster than I could explain why we only had 80% uptime on a relatively critical production component.

Copy link

Okomoko commented Jan 6, 2024

:-) Glad you like it, @MooseV2 Have you considered to develop any Garmin apps yourself?
Indeed -- the first thing I did when I got the Garmin was mess around with the SDK since I wanted to view Dexcom on it. I was happy to see it already existed!

I base64 encoded this string: [...]

Okay, so I've discovered a bit more about the body:

  1. You have to send it with quotes around the base64 string.

instead of

  1. There are three sections separated by periods (.).
Part 1:

Part 2:

Part 3:
Some sort of HMAC? This will probably be tricky to decode. Here are some examples:


So base64 the first two and concatenate (important: remove the equal '=' characters from the base64 string), and you'll end up with a string like this (again, wrapped in quotation marks):


The HMAC part is Base64URL encoded, which is basically just Base64 but "+" becomes "-" and "/" becomes "_". When decoded, it becomes 16 bytes. If you send the wrong value here, you get the error:

'Code': 'IntegrityCheckFailed', 'Message': "Request signature doesn't match device key. [...]"

Could be related to either a) the device key found from /ShareWebServices/Services/Subscriber/DeviceKeys, or b) the device token from [...]/Subscriber/ReadSubscriber2?

It also has something to do with the Account ID, and I've been able to glean this nonworking pseudocode:

import hmac
import hashlib
import base64
import uuid

def generate_hmac(data, key):
    """Generate a SHA256 HMAC and encode as base64."""
    hmac_obj ="utf-8"), data.encode("utf-8"), hashlib.sha256)
    return base64.b64encode(hmac_obj.digest()).decode().replace("=", "")

def create_trailing_hmac(account_id, object2):
    account_id_str = str(account_id)
    object2_str = str(object2)

    intermediate_hash = generate_hmac(account_id_str + object2_str, object2_str)
    final_hash = generate_hmac(account_id_str + intermediate_hash, object2_str)
    result = account_id_str + final_hash
    return result

# Example usage
account_id = uuid.UUID("14edc443-6d10-40a0-ae1c-f564b0ef9ebe")
object2 = uuid.UUID("b85a7d6e-ede9-46c7-a6ac-fb764c31f9b6") # Not sure?

first, second, mac = string.split(".")
print(generate_hmac(first + second, create_trailing_hmac(account_id, object2)))

I'm staring at a disassembly but obviously I'm missing something since that code doesn't work. HMACs are usually 64 bytes but the request MAC is 16 bytes... Hmm.

Anyway, maybe this will help someone...

I am looking for a solution to extract the very last insulin injection event (type of insulin, amount of injection and the timestamp) from Dexcom. @MooseV2, I am wondering if the endpoint you captured can be used for that purpose, any chance you could help me on that? There is an official endpoint already published in their public API's but I have been already using pydexcom for a long while and not willing to start from scratch.


Copy link

jazeee commented Jan 6, 2024 via email

Copy link

KajBjurman commented Jan 6, 2024

It's kind of a JWT, but they either have a bug, or don't care about being fully compliant. The header doesn't static algorithm, so we don't know how the produce the signature, but the signature is also encoded incorrectly. The signature should be encoded in base 64, without padding, and with "url safe" mode, but we can see here, and I also saw in one of my captures, that the signature contained an underscore, which is invalid.

Copy link

Just a small update: it appears the Dexcom outage has been resolved and the old API is working again. I'll keep trying to reverse engineer the new API since I suspect they may push towards it, but is anyone still experiencing issues with the old one?

Nb: It's a bit ridiculous that a bioengineering/health company can have a two month outage, especially without any sort of timeline or communication... at my company I would be fired faster than I could explain why we only had 80% uptime on a relatively critical production component.

I don't get any more emails from users about the issue so it seems to be resolved across all/most markets.

Copy link

osa1 commented Apr 25, 2024

Sorry for the noise -- it turns out Dexcom Android app logged me out from Dexcom services and stopped uploading data.

I also fixed my script in the meantime. Here's a working version:

(Deleted my original comment to avoid adding noise to this useful page)

Copy link

dgoldman95 commented Jun 14, 2024

@osa1 this still gives me an empty result for the glucose values - but does return the account ID and session ID. Tried turning on/off sharing as well as well as rebooting the phone. Can't believe they would make an API so unusable without any documentation explaining the issue.

Is there any way to just get real time glucose values? Feeling like this shouldn't be as hard as it is.

Copy link

I think we are on borrowed time with the legacy dexcom share API. They are pushing all apps and partners over to their new API which is a lot more secure but unfortunately hard/impossible to reverse engineer. It uses oAuth to authenticate the users to Dexcom, which is good. I played around with it in their sandbox and applied for production client access but didn’t get it. They seem to be very restrictive to who they allow access.

Copy link

@fsallstrom - my understanding is that the developer API which requires oAuth has a 3 hour delay on the data. Are they merging the share and developer APIs?

Copy link

They also provide realtime data through that API. When you apply for access you can specify if you need access to real time data or not. I assume they are more restrictive in who they allow access to real time data.

Copy link

Ah I see. thanks @fsallstrom

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment