HTTP dump of Libre Link Up used in combination with FreeStyle Libre 3

libre-link-up-http-dump.md

LibreLinkUp HTTP-Dump

This document describes the HTTP communication of LibreLinkUp which functions as follower app to receive cgm data. Some data in the responses were masked.

Context

This dump was created on an android device with LibreLinkUp app. Capturing was done with HttpToolkit over adb.

API Url

The global api url is https://api.libreview.io. If you are placed in europe you can use https://api-eu.libreview.io instead.

Headers

The following list includes general purpose headers but also specific ones which are required to get correct responses:

General purpose

'accept-encoding': 'gzip'
'cache-control': 'no-cache'
'connection': 'Keep-Alive'
'content-type': 'application/json'

Specific

The following headers are required and needs to be setted to get correct responses. There might be alternative values which are not known.

'product': 'llu.android'
'version': '4.2.1',

Request Flow

To get cgm data from the api it is required to fire at least three requests:

1. Login and retrieve JWT Token
2. Get connections of patients to get patientId
3. Retrieve cgm data of specific patient

Login

This request expects credentials and will return a JWT Token which is required to call auth-needed endpoints.

Endpoint POST /llu/auth/login

Request Body

{
  "email": "[email protected]",
  "password": "$yOurVerySecretPasSw0rd!"
}

Response

{
  "status": 0,
  "data": {
    "user": {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "firstName": "John",
      "lastName": "Doe",
      "email": "[email protected]",
      "country": "DE",
      "uiLanguage": "de-DE",
      "communicationLanguage": "de-DE",
      "accountType": "pat",
      "uom": "1",
      "dateFormat": "2",
      "timeFormat": "2",
      "emailDay": [
        1
      ],
      "system": {
        "messages": {
          "firstUsePhoenix": 1652399492,
          "firstUsePhoenixReportsDataMerged": 1652399492,
          "lluGettingStartedBanner": 1652399555,
          "lluNewFeatureModal": 1652399526,
          "lluOnboarding": 1652399536,
          "lvWebPostRelease": "3.9.47"
        }
      },
      "details": {},
      "created": 1652399492,
      "lastLogin": 1653140180,
      "programs": {},
      "dateOfBirth": 627609600,
      "practices": {},
      "devices": {},
      "consents": {
        "llu": {
          "policyAccept": 1652399485,
          "touAccept": 1652399485
        }
      }
    },
    "messages": {
      "unread": 0
    },
    "notifications": {
      "unresolved": 0
    },
    "authTicket": {
      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTh9.MdEzdJ3NrpYS4WVAcuy87Gxzk7EJFHzCtei-y7_XXXX",
      "expires": 1668692358,
      "duration": 15552000000
    },
    "invitations": [
      "xxxxxxxxx"
    ]
  }
}

The JWT Token is present in data.authTicket.token and is valid for nearly 6 month which is quite long. This is extremly long and actually you cannot invalidate this token why you should not share it with anyone.

For the next requests you have to set this token in the headers:

'authorization': Bearer [YOUR_JWT_TOKEN]

Get connections

To be able to retrieve cgm data you have to determine the patientId of the person who is sharing his data with you.

Endpoint GET /llu/connections

Response

{
  "status": 0,
  "data": [
    {
      "id": "xxxxx",
      "patientId": "xxxxxxx",
      "country": "DE",
      "status": 2,
      "firstName": "John",
      "lastName": "Doe",
      "targetLow": 70,
      "targetHigh": 130,
      "uom": 1,
      "sensor": {
        "deviceId": "",
        "sn": "xxxxx",
        "a": 1652400270,
        "w": 60,
        "pt": 4
      },
      "alarmRules": {
        "c": true,
        "h": {
          "on": true,
          "th": 130,
          "thmm": 7.2,
          "d": 1440,
          "f": 0.1
        },
        "f": {
          "th": 55,
          "thmm": 3,
          "d": 30,
          "tl": 10,
          "tlmm": 0.6
        },
        "l": {
          "on": true,
          "th": 70,
          "thmm": 3.9,
          "d": 1440,
          "tl": 10,
          "tlmm": 0.6
        },
        "nd": {
          "i": 20,
          "r": 5,
          "l": 6
        },
        "p": 5,
        "r": 5,
        "std": {}
      },
      "glucoseMeasurement": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseItem": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseAlarm": null,
      "patientDevice": {
        "did": "2d97357e-d250-11ec-b409-0242ac110004",
        "dtid": 40068,
        "v": "3.3.1",
        "ll": 65,
        "hl": 130,
        "u": 1653016896,
        "fixedLowAlarmValues": {
          "mgdl": 60,
          "mmoll": 3.3
        },
        "alarms": false
      },
      "created": 1652399545
    }
  ],
  "ticket": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTh9.MdEzdJ3NrpYS4WVAcuy87Gxzk7EJFHzCtei-y7_XXXX",
    "expires": 1668692358,
    "duration": 15552000000
  }
}

The datapart includes all persons who are sharing their data with you. To retrieve cgm data you need data[0].patientId.

Get cgm data

Now both prerequirements (JWT Token and Patient ID) are met and you can retrieve the cgm data.

Endpoint GET /llu/connections/{patientId}/graph

Response

{
  "status": 0,
  "data": {
    "connection": {
      "id": "xxxxxxx",
      "patientId": "xxxxxxx",
      "country": "DE",
      "status": 2,
      "firstName": "John",
      "lastName": "Doe",
      "targetLow": 70,
      "targetHigh": 130,
      "uom": 1,
      "sensor": {
        "deviceId": "",
        "sn": "XXXXXXXXXX",
        "a": 1652400270,
        "w": 60,
        "pt": 4
      },
      "alarmRules": {
        "c": true,
        "h": {
          "on": true,
          "th": 130,
          "thmm": 7.2,
          "d": 1440,
          "f": 0.1
        },
        "f": {
          "th": 55,
          "thmm": 3,
          "d": 30,
          "tl": 10,
          "tlmm": 0.6
        },
        "l": {
          "on": true,
          "th": 70,
          "thmm": 3.9,
          "d": 1440,
          "tl": 10,
          "tlmm": 0.6
        },
        "nd": {
          "i": 20,
          "r": 5,
          "l": 6
        },
        "p": 5,
        "r": 5,
        "std": {}
      },
      "glucoseMeasurement": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseItem": {
        "FactoryTimestamp": "5/21/2022 1:38:50 PM",
        "Timestamp": "5/21/2022 3:38:50 PM",
        "type": 1,
        "ValueInMgPerDl": 91,
        "TrendArrow": 3,
        "TrendMessage": null,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 91,
        "isHigh": false,
        "isLow": false
      },
      "glucoseAlarm": null,
      "patientDevice": {
        "did": "xxxxxxx",
        "dtid": 40068,
        "v": "3.3.1",
        "ll": 65,
        "hl": 130,
        "u": 1653016896,
        "fixedLowAlarmValues": {
          "mgdl": 60,
          "mmoll": 3.3
        },
        "alarms": false
      },
      "created": 1652399545
    },
    "activeSensors": [
      {
        "sensor": {
          "deviceId": "xxxxxx",
          "sn": "xxxxx",
          "a": 1652400270,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 65,
          "hl": 130,
          "u": 1653016896,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      },
      {
        "sensor": {
          "deviceId": "xxxxx",
          "sn": "xxxxxx",
          "a": 1652399154,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxxxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 70,
          "hl": 250,
          "u": 1652399060,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      },
      {
        "sensor": {
          "deviceId": "xxxxx",
          "sn": "xxxxx",
          "a": 1652391830,
          "w": 60,
          "pt": 4
        },
        "device": {
          "did": "xxxxx",
          "dtid": 40068,
          "v": "3.3.1",
          "ll": 70,
          "hl": 250,
          "u": 1652396851,
          "fixedLowAlarmValues": {
            "mgdl": 60,
            "mmoll": 3.3
          },
          "alarms": false
        }
      }
    ],
    "graphData": [
      {
        "FactoryTimestamp": "5/21/2022 1:39:50 AM",
        "Timestamp": "5/21/2022 3:39:50 AM",
        "type": 0,
        "ValueInMgPerDl": 117,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 117,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:44:51 AM",
        "Timestamp": "5/21/2022 3:44:51 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:49:50 AM",
        "Timestamp": "5/21/2022 3:49:50 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:54:51 AM",
        "Timestamp": "5/21/2022 3:54:51 AM",
        "type": 0,
        "ValueInMgPerDl": 116,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 116,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 1:59:50 AM",
        "Timestamp": "5/21/2022 3:59:50 AM",
        "type": 0,
        "ValueInMgPerDl": 116,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 116,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:04:50 AM",
        "Timestamp": "5/21/2022 4:04:50 AM",
        "type": 0,
        "ValueInMgPerDl": 118,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 118,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:09:50 AM",
        "Timestamp": "5/21/2022 4:09:50 AM",
        "type": 0,
        "ValueInMgPerDl": 118,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 118,
        "isHigh": false,
        "isLow": false
      },
      {
        "FactoryTimestamp": "5/21/2022 2:14:51 AM",
        "Timestamp": "5/21/2022 4:14:51 AM",
        "type": 0,
        "ValueInMgPerDl": 115,
        "MeasurementColor": 1,
        "GlucoseUnits": 1,
        "Value": 115,
        "isHigh": false,
        "isLow": false
      }
    ]
  },
  "ticket": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlZGFjNDk2LWQyNGUtMTFlYy04ZTVkLTAyNDJhYzExMDAwMiIsImZpcnN0TmFtZSI6IkhhbGltZSBTZWxjdWsiLCJsYXN0TmFtZSI6Iktla2VjIiwiY291bnRyeSI6IkRFIiwicmVnaW9uIjoiZXUiLCJyb2xlIjoicGF0aWVudCIsInVuaXRzIjoxLCJwcmFjdGljZXMiOltdLCJjIjoxLCJzIjoibGx1LmFuZHJvaWQiLCJleHAiOjE2Njg2OTIzNTl9.LK8Ejr2IDKGM7oiObVYMHC8HV2bPcv6obt7UiEFXXXX",
    "expires": 1668692359,
    "duration": 15552000000
  }
}

The last measurement is present in glucoseMeasurement:

{
  "FactoryTimestamp": "5/21/2022 1:38:50 PM",
  "Timestamp": "5/21/2022 3:38:50 PM",
  "type": 1,
  "ValueInMgPerDl": 91,
  "TrendArrow": 3,
  "TrendMessage": null,
  "MeasurementColor": 1,
  "GlucoseUnits": 1,
  "Value": 91,
  "isHigh": false,
  "isLow": false
}

Instead you can find historical measurements in graphData. The data has the same shape as above.

Contact

Selcuk Kekec

E-mail: [email protected]

I would like to know if anyone has been able to download the "csv" file programmatically?

I looked at this but the problem is that the api call (an export post request) requires a captcha response - in other words you have to solve the captcha before you can request the csv.

I get this but maybe I can intercept this in my app and then pass the "proof" back to libreview?

I have been using this successfully for some time now, although I've had to set the version header to 4.10.0 to work. I've received notifications from the LibreLink app that as of October 8th, version 4.15 and below will no longer receive data. I've tried updating the version header to 4.16.0 , but then get the 'missing header' error. Does anyone know what the latest working headers are?

@knolleary I just checked the app I created and I am still using 4.7 version with no issue. I am on Android so I don't know if that matters.

Up until today I'd been using version 4.7, but now see the same issue as reported above:

{"data":{"minimumVersion":"4.16.0"},"status":920}

If I set the version to 4.16, I get:

{"message":"RequiredHeaderMissing"}

This is in the -eu2 region.

@SteveCEvans likewise. As per my previous message, I have been receiving in-app warnings to upgrade client version before the 8th October... ie today. And sure enough, access to the API has stopped working today.

Hopefully someone can figure out the necessary headers to keep this working

Fixed it! I'm using micro python.

Prior to 4.16 my header for fetching graph data was:

        auth_header = {
            'Accept'        : 'application/json',
            'Authorization' : 'Bearer ' + self._user_token,
       }

And now I have:

        auth_header = {
            'Accept'        : 'application/json',
            'Authorization' : 'Bearer ' + self._user_token,
            'Account-Id'    : self._account_id
        }

Where:

            digest = uhashlib.sha256(self._user_id.encode('utf-8')).digest()
            self._account_id = ubinascii.hexlify(digest).decode('utf-8')

I hope that makes sense.

@SteveCEvans well done - can confirm that works for me (intrigued to know how you figured that out...)

For reference, in node.js land, this translates to:

const { createHash } = require('crypto');
const AccountIdHeader = createHash('sha256').update(userId).digest('hex');

userId can be obtained from the response of the initial login HTTP request.

(intrigued to know how you figured that out...)

Perhaps by reading this gist? This change has been rolling out slowly since last year - See https://gist.github.com/khskekec/6c13ba01b10d3018d816706a32ae8ab2?permalink_comment_id=5330300#gistcomment-5330300

@sgmoore ha - good point. So many replies and collapsed comments, I had missed that.

@SteveCEvans well done - can confirm that works for me (intrigued to know how you figured that out...)

For reference, in node.js land, this translates to:

const { createHash } = require('crypto');
const AccountIdHeader = createHash('sha256').update(userId).digest('hex');

userId can be obtained from the response of the initial login HTTP request.

It was actually mentioned above at https://gist.github.com/khskekec/6c13ba01b10d3018d816706a32ae8ab2?permalink_comment_id=5358133#gistcomment-5358133

@SteveCEvans "I hope that makes sense." Not really. In my version when I get "https://api.libreview.io/llu/connections/" + PATIENT_ID + "/graph", my headers have "Accept", "Authorization", "product" and "version". I changed version to 4.16.0 and it gave me a protocol error. So as I understand it you had to add "Account-Id". The value you are sending out is an sha256 checksum of the PATIENT_ID?

That worked for me. Thanks!!

I only send the version header for the login. Once I have the user id and token it’s no longer needed.

@SteveCEvans I'll give that a try.

For all those GOphers:

// getAccountID returns the account ID for the given user ID
func getAccountID(userID string) string {
	hash := sha256.Sum256([]byte(userID))
	return hex.EncodeToString(hash[:])
}

I struggled with URL's, but I got it to work.
So I summarize here.
(I live in Europe)
To request the jwt token and Patient_ID, I use POST to "https://api-eu.libreview.io/llu/auth/login"
For client info including latest glucose level, I use GET to "https://api-eu.libreview.io/llu/connections/"
where I use headers:
headers = {
"Accept": "application/json",
"product": "llu.android",
"version": "4.16",
"Authorization": f"Bearer {jwt_token}",
"Account-Id" : Account_ID
}

Where Account_ID is the SHA256 digest of the Patient_ID.
I am very happy with the contributions from this community!

@gjkoolen I will have to try this as my tool is broken now on getting user information. Funny situation that my tablet doesn't seem to be affected. It may have something to do with what whatever version of Android I am running?

So from what I am seeing the url "https://api.libreview.io/user" is not being called any more?

I was folling this order:
http://api.libreview.io/llu/auth/login (this gets the TOKEN)
http://api.libreview.io/user (this gets DEVICE, EMAIL, FIRSTNAME, LASTNAME, PATIENT_ID)
http://api.libreview.io/account (I think this is where we get an Account_Id)
http://api.libreview.io/llu/connections (Here is where we are suppose to use the encyrpted Account_Id)
http://api.libreview.io/llu/connections/<PATIENT_ID>/graph
http://api.libreview.io/llu/connections/<PATIENT_ID>/logbook
http://api.libreview.io/llu/notifications/settings/<CONNECTION_ID> (Doesn't work for me)
http://api.libreview.io/llu/config/country?country=us

Mine crashes on "user" with a 302 error. So I need the PATIENT_ID/Account_ID before I actually get it from "user". Confusing.

@MrAda

http://api.libreview.io/user (this gets DEVICE, EMAIL, FIRSTNAME, LASTNAME, PATIENT_ID)
http://api.libreview.io/account (I think this is where we get an Account_Id)

I never used either of these (nor seen them used anywhere).

As you can see from the very first message in this gist, step 1 will normally¹ return a response with your user details , looking something like

{
  "status": 0,
  "data": {
    "user": {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "firstName": "John",
      ...

and it is this id which you need to encrypt for use with llu/connections etc.

Footnotes

1. I say normally, because sometimes the response from step 1 is a redirect to an intermediate step (like accepting new Terms and Conditions etc) and you need to perform another api post to complete these step(s) until you get the full response. If your software does not handle those intermediate steps, you may have to log into the official LibreLinkup app in order to get passed that stage. ↩

Thanks @sgmoore
In addition: after Oct 8, I had to start my LibreLinkUp Android app, to read and accept the new terms of use.
After that, I got correct responses from my https requests.

Thanks @sgmoore In addition: after Oct 8, I had to start my LibreLinkUp Android app, to read and accept the new terms of use. After that, I got correct responses from my https requests.

Gosh that worked! my code is working again.

@sgmoore I like that you have a simpler interface. I will look into it.

@sgmoore I got things to work again. Your suggestion helped a lot. Do I new that new header "Account-Id" for every command after logging in or only on connections?

@MrAda

I use "Account-Id" for every command after logging in.

Hi! I'm building an app to get the LibreLinkUp data but it can only obtain ~142 records. Does anyone know if I can get my full history of my CGM data? Also, I started using my first CGM in Taipei a month ago, but I returned to the US and activated my 2nd CGM with region setting as US. Why do my returned records still have a timestamp in the TPE time zone? How can I fix it?

@rollkuo I don't think any of us have figured out to get all the data programmatically yet. You can go to LibreLinkUp on the web and download your csv data and then incorporate that into your app. Not optimal but it is what is available. You may have noticed that when you poll to get data from the API it is around 30 minutes in the past, no current data. I complained to Abbott that if I was being watched by a friend and I was plunging in Blood Glucose I could be in a serious medical event which could be tragic.

You may have noticed that when you poll to get data from the API it is around 30 minutes in the past, no current data

The data you get from the /llu/connections/{patientId}/graph endpoint should contain the current reading (or more accurately the last blood glucose value uploaded) in data/Connection/glucoseMeasurement or data/Connection/glucoseItem (And before you ask, I don't know what the difference between these two is)