Topics:
Create your project
View project details
To view project details:
Edit configuration
To update project configuration:
(See below for more information on configuration items.)
Set up OAuth2 credentials and URLs
Go to your project detail page to get OAuth2 credentials. Use these
to set up your OAuth2 authorization process.
(Read more about OAuth2 authorization
setup below for more details.)
Test authorization with up to 20 test users.
Once you've set up your OAuth2 authorization process, you can test user
authorizations. (Note: your own account can be a test user too!)
Try sending users to the "enrollment URL" you've specified to test the entire process.
Test withdrawal/deauthorization and reauthorization
Members can immediately withdraw/deauthorize a project on their
connections management page.
You can reauthorize a project by returning to its "signup URL".
If a project changes requested permissions, new permissions will take effect only if/when a member has reauthorized the project.
Test API data access
If any test users have data from requested sources, it will
become accessible to your project. Check that
data access is working correctly.
Test messaging
If your project is planning to send messages to users, you can test this
feature by
sending messages to your test users.
Test data upload
If your project is planning to add or return data to member accounts,
you can test the
data upload process.
Review project guidelines.
Review our Activity
Guidelines and ensure your project has good security and responsible
data management practices before seeking project approval.
Request project approval.
Project approval is required to remove the 20 user cap. Once approved,
we'll share your project with Open Humans members. For approval, we require
any project classified as a "study" to have been reviewed and approved by
an Institutional Review Board or equivalent ethics board.
The project approval process is performed with feedback from the larger Open Humans community. Project approval is discussed publicly on our Discourse and project members are asked to weigh and ask questions to the project leads. A step-by-step guide can be found in our Approval How-To.
When you no longer wish to have new members join your project, edit your project's configuration to turn off "Active" status.
Study or activity?
Are you doing research? If so, you're a "study". We expect all studies
to have be approved by an Institutional Review Board (IRB) or equivalent
ethical review.
Non-study projects are also welcome, for example: data analysis tools, or projects to enable import of a certain type of data.
Project name
Your project will be listed with this name.
Leader(s) or Principal Investigator(s)
These will be listed in your project description.
Organization or Institution
This will be listed in your project description.
Academic or non-profit?
Select "yes" if your project's affiliation is academic or nonprofit.
This affects how your project is listed in Open Humans.
Contact email for your project
Members who wish to contact your project will use this email address.
If your project sends messages, this email will be the "reply-to" in the
emails members receive.
URL for general information about your project
Members who want more information about your project can follow this
URL to learn more.
Short description
This description will be displayed for members when your project is
listed.
Long description
A longer description for members. (Note: This field isn't currently in
use by our site, but might be later.)
Description of data you plan to upload to member accounts
Describe any data your project is planning to add or return, via upload
to the accounts of your project's members. Leave this blank if your
project doesn't plan to add or return data via Open Humans.
Active
Members can only join a project if it is "active". You should answer
"Yes" during development to enable testing the join & authorization
process.
When you wish to close a study enrollment (i.e. no new members may join), remove "active" status for your project.
Badge image
Badges should be circular images. Members that join your project will
have this badge displayed on their profile.
Request sources access
Select all data sources that you're requesting members to share with
your project. New and updated data held by members will be shared in an
ongoing manner as long as your project is authorized.
Are you requesting permission to message users?
Answer "Yes" if you want your project to be authorized to send messages.
Are you requesting Open Humans usernames?
Answer "Yes" if you want your project to have access to the usernames
of your project members. This implicitly enables access to anything the
user is publicly sharing on Open Humans.
Username information is also potentially sensitive and/or identifying. You might want to avoid username access to improve security and potentially facilitate IRB review.
To facilitate the use of the OAuth2 API we offer two Python packages:
django-open-humans
,
a re-usable application for the Django web framework. It fully
implements our API methods along with the necessary logic for logging
people in and requesting permissions.
Its documentation explains how to install, setup and use the package.
open-humans-api
,
a package that wraps all calls to the Open Humans API into
Python functions and additionally provides command-line interfaces
to directly interact with the API.
See the documentation for more details.
Of course, the API can also be accessed through the programming language of your choice without those packages. Below is a brief overview of how to use OAuth2 credentials and URLs to authorize a user from your app or website. If you're not familiar with OAuth2, we recommend you read the OAuth Wikipedia article and other online resources for general information about these processes.
Direct your user to the Authorization URL.
This URL should includethe following parameters:
"client_id" set to your Client ID
"response_type" set to "code"
For example, for the authorization URL
https://www.openhumans.org/direct-sharing/projects/oauth2/authorize/
and the client ID ABCDEFG1234567
, you send your user to:
https://www.openhumans.org/direct-sharing/projects/oauth2/authorize/?client_id=ABCDEFGJ1234567&response_type=code
User returns with code.
If the user authorizes your project, Open Humans will send them back to
your "Redirect URL" with the parameter "code" set. For example, if your
redirect URL is https://www.example.com/authorize_openhumans
and the code is 123abc456def
then we'll send the user to:
https://www.example.com/authorize_openhumans/?code=123abc456def
Your website or app will presumably know which user is associated with this code. You should immediately exchange the code for token data, which you'll store associated with your user's account.
Exchange the code for a token.
Your website or app needs to exchange the code for a more permanent token.
Do this immediately: the code will expire soon after it's shared.
Use your client ID and client secret as credentials for this transaction.
Make sure you do this securely (use https).
Use a POST request to the "access token URL" with the following data:
'grant_type' set to 'authorization_code'
'code' set to the value of the code you received
'redirect_uri' set to the same redirect URL you've specified in Open Humans
If everything is set correctly, the Open Humans website will return JSON data with values for 'access_token', 'refresh_token', and 'expires_in' (seconds). Keep this token and refresh token secure. The token can be used to access the OAuth2 project member API endpoint to retrieve this member's project member ID and other data.
For example, the following Python code fragment exchanges a code for token data. (This uses the requests library.)
import requests
data = {
'grant_type': 'authorization_code',
'code': received_code,
'redirect_uri': your_redirect_url
}
token_response = requests.post(
open_humans_access_token_url,
data=data,
auth=requests.auth.HTTPBasicAuth(
your_open_humans_client_id,
your_open_humans_client_secret
)
)
token_data = token_response.json()
access_token = token_data['access_token']
refresh_token = token_data['refresh_token']
seconds_before_expiration = token_data['expires_in']
Another example code-for-token exchange in JavaScript, using the request library.
const request = require('request')
request.post(
{
url: 'https://www.openhumans.org/oauth2/token/',
auth: {
'user': clientID,
'pass': clientSecret
},
formData: {
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': redirectURI
},
}, function(err, res) {
console.log(res.statusCode)
console.log(res.body)
})
How to refresh your token.
For security reasons, tokens expire after a period of time. To request
a fresh token, use a POST request to the "access token URL" with the
following data:
'grant_type' set to 'refresh_token'
'refresh_token' set to the refresh token you received
If everything is set correctly, the Open Humans website will return JSON data with a new 'access_token', 'refresh_token', and 'expires_in' (seconds).
A webhook can optionally be provided to automate handling when members leaving (deauthorize) an activity (for example, a request to erase personal data, to comply with GDPR). If provided, when a member leaves an activity a POST will be sent to that URL with JSON formatted data containing the following fields:
project_member_id
: (string) identifying the project member performing deauthorization
erasure_requested
: (true/false) whether the deauthorizing member is requesting the activity delete their personal data
timestamp
: (string) ISO 8601 format timestamp of the deauthorization
A webhook secret can optionally be provided, to be used to verify that
incoming requests sent to the webhook are coming from Open Humans.
If provided, POSTs to the webhook will use the secret to provide an hmac-sha1
a verification signature via a custom X-OpenHumans-Webhooks-Signature
header. The value of this header is the string sha1=
followed by
the hmac-sha1 hexdigest of the payload.
For example, the secret: abcdefghijklmnop
would be used in combination with a payload:{"project_member_id": "12345678", "erasure_requested": true, "timestamp": "2020-06-30T20:00:00.000000+00:00"}
to provide the following signature in the header: sha1=ebda5c0a38593a4350ad8401b7d8c8f1cd08ec67
# example Python code for generating this string import hmac key = 'abcdefghijklmnop'.encode('utf-8') payload = '{"project_member_id": "12345678", "erasure_requested": true, "timestamp": "2020-06-30T20:00:00.000000+00:00"}'.encode('utf-8') sig = 'sha1=' + hmac.hex