A Model Context Protocol (MCP) server that brings your Withings health data into Claude. Access your sleep patterns, body measurements, workouts, heart data, and more through natural conversation.
🔒 Privacy First: This is my personal project, and the repository is intentionally public to demonstrate transparency. The code shows that no personal information is logged or stored maliciously. All sensitive data (tokens, user IDs) is encrypted at rest and automatically redacted from logs. You can review the entire codebase to verify this commitment to privacy.
- What Can You Do With This?
- For End Users: Using the Hosted Server
- For Developers: Self-Hosting
- Security Features
- Contributing
- License
- Support
- Acknowledgments
This MCP server gives Claude access to your Withings health data, allowing you to:
- Analyze your sleep: Ask about sleep quality, duration, deep sleep stages, heart rate during sleep
- Track body metrics: Weight trends, body composition, blood pressure, heart rate over time
- Review workouts: Analyze exercise patterns, calories burned, heart rate zones
- Monitor heart health: Access ECG recordings and detailed heart data
- Set and track goals: Review your fitness and health goals
- Identify patterns: Find correlations between sleep, activity, and other metrics
- Generate insights: Get AI-powered analysis of your health trends
All through natural conversation with Claude or any other MCP-compatible client.
If you just want to use this MCP server with Claude Desktop without hosting anything yourself, follow these steps:
- A Withings account with connected devices
- Claude Desktop or any other MCP-compatible client installed on your computer
- Open Claude Desktop
- Go to Settings (gear icon in the bottom-left corner)
- Navigate to the Connectors tab
- Click Add Custom Connector
- Fill in the following details:
- Name:
Withings(or any name you prefer) - Remote MCP server URL:
https://withings-mcp.com/mcp
- Name:
- Click Add
Note: If your MCP client doesn't support UI-based connector configuration, you can manually edit the config file instead. See the manual configuration guide below.
- In the Connectors settings, find the Withings connector you just added
- Click Connect next to the connector
- Your web browser will open with the Withings authorization page
- Log in to your Withings account
- Review and approve the permissions requested
- You'll be redirected back and the connection will be complete
After authorization, Claude will have access to your Withings data!
Once connected, Claude can use these tools to access your data:
get_sleep_summary- Sleep duration, stages (light/deep/REM), heart rate, breathing, sleep scoreget_activity- Daily steps, distance, calories, elevation, activity durationsget_intraday_activity- High-frequency activity data throughout the dayget_workouts- Detailed workout summaries with heart rate zones and metrics
get_measures- Weight, body composition, blood pressure, heart rate, temperature, VO2 max, and more
get_user_devices- List of connected Withings devicesget_user_goals- Your health and fitness goals (steps, sleep, weight)
list_heart_records- List of ECG recordingsget_heart_signal- Detailed ECG waveform data
list_stetho_records- List of stethoscope recordingsget_stetho_signal- Detailed audio signal data
Try asking Claude:
- "How has my sleep quality been over the past week?"
- "Show me my weight trend for the last month"
- "What's my average resting heart rate?"
- "Did I hit my step goal this week?"
- "Compare my workout intensity between this month and last month"
- "When did I sleep best this month?"
- Encrypted tokens: All authentication tokens are encrypted using AES-256-GCM before storage
- No logging of personal data: The code is public - you can verify that no sensitive information is logged
- Automatic redaction: All user IDs, tokens, and credentials are automatically redacted from system logs
- OAuth 2.0: Industry-standard secure authentication with Withings
- You're in control: Revoke access anytime from your Withings account settings
Want to run your own instance? Here's how to deploy this MCP server yourself.
- Node.js 18+ and npm installed
- Deno CLI installed for deployment
- A Withings Developer Account
- Go to Withings Developer Portal
- Create a new application
- Note your Client ID and Client Secret
- Set your Redirect URI to:
https://your-domain.com/callback- This must be a publicly accessible URL (localhost is not supported by Withings)
- Can be any domain where you'll host the server (e.g., Deno Deploy, your own server, etc.)
# Clone the repository
git clone https://github.com/your-username/withings-mcp.git
cd withings-mcp
# Install dependencies
npm install
# Generate encryption secret
npm run generate-secret
# Copy the output - you'll need it for environment variablesNote: Withings requires a publicly accessible URL for OAuth callbacks. For local development, use a tunneling service to expose your local server or deploy to a staging environment for testing.
# Copy environment template
cp .env.example .env
# Edit .env with your values
# WITHINGS_CLIENT_ID=your_client_id
# WITHINGS_CLIENT_SECRET=your_client_secret
# WITHINGS_REDIRECT_URI=https://your-tunnel-url.com/callback
# ENCRYPTION_SECRET=paste_generated_secret_here
# PORT=3000
# Build the project
npm run build
# Run locally
npm startMake sure your redirect URI in the .env file matches the publicly accessible URL pointing to your local server.
# Build the project
npm run build
# Deploy to your hosting platform of choice
# The build output is in the ./build directorySet the following environment variables on your hosting platform:
| Variable | Required | Example |
|---|---|---|
WITHINGS_CLIENT_ID |
Yes | your_client_id |
WITHINGS_CLIENT_SECRET |
Yes | your_client_secret |
WITHINGS_REDIRECT_URI |
Yes | https://your-domain.com/callback |
ENCRYPTION_SECRET |
Yes | Generated from step 2 |
PORT |
No | 3000 (or your platform's default) |
LOG_LEVEL |
No | info |
ALLOWED_ORIGINS |
No | https://example.com,https://app.example.com |
Go back to your Withings developer app and update the redirect URI to match your deployed URL:
https://your-domain.com/callback
- Open Claude Desktop
- Go to Settings → Connectors tab
- Click Add Custom Connector
- Fill in the following details:
- Name:
Withings(or any name you prefer) - Remote MCP server URL:
https://your-domain.com/mcp
- Name:
- Click Add
- Click Connect next to the connector to authorize
Configure your MCP client with the following connection details:
- Server URL:
https://your-domain.com - Transport: Server-Sent Events (SSE)
- Endpoint:
/mcp - Authentication: OAuth 2.0
- Discovery URL:
/.well-known/oauth-authorization-server
| Variable | Required | Description |
|---|---|---|
WITHINGS_CLIENT_ID |
Yes | Your Withings app client ID |
WITHINGS_CLIENT_SECRET |
Yes | Your Withings app client secret |
WITHINGS_REDIRECT_URI |
Yes | OAuth callback URL (must match Withings app settings) |
ENCRYPTION_SECRET |
Yes | 32+ character secret for token encryption (generate with npm run generate-secret) |
PORT |
No | Server port (default: 3000) |
LOG_LEVEL |
No | Logging level: trace, debug, info, warn, error (default: info) |
ALLOWED_ORIGINS |
No | Comma-separated list of allowed CORS origins for browser clients |
npm run build # Compile TypeScript to JavaScript
npm run dev # Watch mode - recompile on changes
npm run generate-secret # Generate encryption secret for ENCRYPTION_SECRET env variablesrc/
├── auth/ # OAuth 2.0 authentication & token storage
├── server/ # Hono app, MCP endpoints, middleware
├── tools/ # MCP tools for Withings API (sleep, measure, user, heart, stetho)
├── transport/ # Custom SSE transport for MCP
├── withings/ # Withings API client
├── utils/ # Logger and encryption utilities
└── index.ts # Main entry point
See CLAUDE.md for detailed architecture documentation.
All Withings access and refresh tokens are encrypted at rest using AES-256-GCM:
- Algorithm: AES-256-GCM (authenticated encryption)
- Key Derivation: PBKDF2 with 100,000 iterations
- Defense in Depth: Even if the database is compromised, tokens remain protected
Important: Keep your ENCRYPTION_SECRET:
- At least 32 characters long
- Randomly generated (use
npm run generate-secret) - Secure and never committed to version control
- Consistent across server restarts
The custom logger automatically redacts all sensitive information:
- ✅ Operational events and errors logged
- ❌ No tokens, credentials, or auth codes
- ❌ No user IDs or personal information
- ❌ No API request/response payloads with sensitive data
You can review the logging implementation in src/utils/logger.ts.
This is a personal project, but contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
MIT License - see LICENSE file for details.
- Issues: Report bugs or request features on GitHub Issues
- Withings API: See Withings API Documentation
- MCP Protocol: See Model Context Protocol Documentation
Built with:
- Model Context Protocol by Anthropic
- Withings API
- Hono web framework
- Deno Deploy for hosting