How do I install Withings?

Withings is a local plugin. Install it using npm package: withings-mcp-unofficial and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Withings need?

Withings requires the following credentials or environment variables: WITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET, WITHINGS_REDIRECT_URI, WITHINGS_TOKEN_PATH, WITHINGS_PRIVACY_MODE, WITHINGS_CACHE, WITHINGS_CACHE_PATH. You can find setup instructions on the server detail page.

What AI apps work with Withings?

Withings uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Withings MCP Server

by davidmosiah

Developer ToolsUse Caution4.4LocalNew

Free

Privacy-first, unofficial Withings MCP server for AI health, sleep, activity and heart-rate agents.

About

Privacy-first, unofficial Withings MCP server for AI health, sleep, activity and heart-rate agents.

Security Report

4.4

Use Caution4.4High Risk

A well-structured MCP server for Withings health data with solid authentication, proper token handling, and thoughtful privacy controls. Tokens are securely stored locally with restricted permissions and never exposed. Minor code quality issues and overly broad error handling do not materially impact security given the server's legitimate purpose. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

5 files analyzed · 9 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

File System Write

Writes or modifies files on your machine. Check that this is expected for the tool.

HTTP Network Access

Connects to external APIs or services over the internet.

system_info

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

Withings OAuth client ID. Optional when configured with withings-mcp-server setup.Optional

Environment variable: WITHINGS_CLIENT_ID

Withings OAuth client secret. Prefer withings-mcp-server setup so this secret is stored in ~/.withings-mcp/config.json instead of MCP client config.Required

Environment variable: WITHINGS_CLIENT_SECRET

Redirect URI configured in the Withings Developer Dashboard. Optional when configured with withings-mcp-server setup.Optional

Environment variable: WITHINGS_REDIRECT_URI

Optional local path for OAuth tokens. Defaults to ~/.withings-mcp/tokens.json.Optional

Environment variable: WITHINGS_TOKEN_PATH

Optional payload mode: summary, structured, or raw. Defaults to structured. raw means full Withings API payloads, not continuous 24/7 raw sensor telemetry.Optional

Environment variable: WITHINGS_PRIVACY_MODE

Optional SQLite cache toggle. Set to true or sqlite to enable.Optional

Environment variable: WITHINGS_CACHE

Optional local SQLite cache path. Defaults to ~/.withings-mcp/cache.sqlite.Optional

Environment variable: WITHINGS_CACHE_PATH

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-davidmosiah-withingsmcp": {
      "env": {
        "WITHINGS_CACHE": "your-withings-cache-here",
        "WITHINGS_CLIENT_ID": "your-withings-client-id-here",
        "WITHINGS_CACHE_PATH": "your-withings-cache-path-here",
        "WITHINGS_TOKEN_PATH": "your-withings-token-path-here",
        "WITHINGS_PRIVACY_MODE": "your-withings-privacy-mode-here",
        "WITHINGS_REDIRECT_URI": "your-withings-redirect-uri-here",
        "WITHINGS_CLIENT_SECRET": "your-withings-client-secret-here"
      },
      "args": [
        "-y",
        "withings-mcp-unofficial"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

withings-mcp-server

Local-first MCP server that connects AI agents to your Withings body, sleep, activity and heart data.

Unofficial project. Not affiliated with, endorsed by or supported by Withings. Withings is a trademark of its respective owner. Use this only with your own Withings account and in line with the Withings Public API terms.

Built by David Mosiah for people who use Claude, Cursor, Hermes, OpenClaw or other MCP-compatible agents to think about body composition, sleep and long-term health trends — without copy-pasting numbers from the Withings app.

Part of Delx Wellness, a registry of local-first wellness MCP connectors.

Why this exists

Withings has the longest-running consumer body-composition and sleep ecosystem (smart scales, Sleep Analyzer, ScanWatch). The data is rich — punctual weight + body fat + muscle mass measurements, sleep stages, ECG-grade heart records — but the Withings Public API uses a signed-token OAuth flow that's heavier than most consumer APIs.

This package handles the signed OAuth dance locally, normalizes responses, and exposes Withings through the Model Context Protocol. Tokens never leave your machine. Privacy-mode defaults keep raw payloads opt-in.

Setup in 60 seconds

You'll need a Withings app (create one here) with redirect URI http://127.0.0.1:3000/callback.

npx -y withings-mcp-unofficial setup    # interactive: paste client id + secret
npx -y withings-mcp-unofficial auth     # opens browser, captures the OAuth code
npx -y withings-mcp-unofficial doctor   # verifies you're ready

Recommended scopes:

user.activity user.metrics

Then add this to your MCP client config:

{
  "mcpServers": {
    "withings": {
      "command": "npx",
      "args": ["-y", "withings-mcp-unofficial"]
    }
  }
}

For Claude Desktop, run setup --client claude and the snippet is written for you.

Note: Withings OAuth authorization codes are short-lived (a few minutes). Don't pause between approving the consent screen and withings_exchange_code running.

Try it with your agent

Three things to ask first:

Use withings_connection_status to check setup, then run withings_daily_summary.
Give me a 5-line wellness brief for today.

Call withings_weekly_summary with response_format=json. Identify my biggest
sleep/body bottleneck and give me a next-week plan.

Use the withings_body_sleep_investigation prompt, after=2026-04-01.
Walk me through what changed in body composition + sleep.

Data availability

This package uses the official Withings Public API. When this README says raw, it means the upstream Withings JSON for a supported endpoint — not raw device sensor streams.

Data	Available	Notes
Body measures (weight, fat %, muscle, bone, water)	✓	Requires `user.metrics` scope
Daily activity (steps, calories, distance, intensity)	✓	Requires `user.activity` scope
Workouts + sport metadata	✓	Requires `user.activity` scope
Sleep summaries (duration, stages, efficiency, HR)	✓	Requires `user.activity` scope
Sleep detail records	✓	When the device exposes them
Heart records (ECG, BP, etc.)	✓	Requires `user.metrics` scope; varies by device/plan
Continuous sensor telemetry	—	Not exposed by Withings Public API

Tools

Start with these:

withings_connection_status — verify local setup before calling Withings
withings_daily_summary — body, sleep, activity and heart brief for today
withings_weekly_summary — scorecard, comparison vs prior week, next-week plan

Auth & diagnostics

withings_capabilities, withings_agent_manifest, withings_privacy_audit, withings_cache_status
withings_get_auth_url, withings_exchange_code, withings_revoke_access

Body & metrics

withings_list_body_measures — punctual weight/composition records
withings_list_heart — heart records when device/plan permit

Activity

withings_list_activity — daily activity summaries
withings_list_workouts — logged workouts

Sleep

withings_list_sleep_summary — daily sleep summaries with HR/stage fields
withings_list_sleep — detailed sleep records

Prompts

withings_daily_checkin — practical daily health and body check-in
withings_weekly_review — review trends across body, sleep, activity
withings_body_sleep_investigation — investigate body measures + sleep together

Resources

withings://capabilities, withings://agent-manifest
withings://latest/activity, withings://latest/sleep
withings://summary/daily, withings://summary/weekly

Privacy & security

OAuth tokens are stored in ~/.withings-mcp/tokens.json with 0600 permissions and are never returned by tools.
Withings uses a signed-request OAuth flow — the package handles signing locally; client secrets never reach the MCP client.
The server never prints access or refresh tokens.
WITHINGS_PRIVACY_MODE defaults to structured. Raw Withings JSON is opt-in via raw mode or per-call override.
withings_revoke_access clears local tokens; full account-side token revocation depends on your Withings plan.
The MCP client never sees access or refresh tokens.
This is not medical advice. Withings exposes data that may resemble medical signals (ECG, blood pressure) but this server is for personal AI workflows, not diagnosis or treatment.

Configuration

setup writes most of these into ~/.withings-mcp/config.json (0600). Manual env override is supported:

WITHINGS_CLIENT_ID=…
WITHINGS_CLIENT_SECRET=…
WITHINGS_REDIRECT_URI=http://127.0.0.1:3000/callback

# Optional
WITHINGS_SCOPES="user.activity user.metrics"
WITHINGS_PRIVACY_MODE=structured        # summary | structured | raw
WITHINGS_CACHE=sqlite                   # optional read-through cache
WITHINGS_TOKEN_PATH=~/.withings-mcp/tokens.json
WITHINGS_CACHE_PATH=~/.withings-mcp/cache.sqlite

Hermes / remote setup

npx -y withings-mcp-unofficial setup --client hermes --no-auth
npx -y withings-mcp-unofficial auth                      # run locally if browser auth is needed
npx -y withings-mcp-unofficial doctor --client hermes
hermes mcp test withings

After Hermes config changes, use /reload-mcp or hermes mcp test withings. Don't restart the gateway for normal data access.

If browser OAuth has to happen on a different machine than Hermes, run auth locally and copy ~/.withings-mcp/tokens.json to the server with chmod 600.

Requirements

Node.js 20+
A Withings app at https://account.withings.com/partner/dashboard_oauth2 with redirect URI http://127.0.0.1:3000/callback

Development

git clone https://github.com/davidmosiah/withingsmcp.git
cd withingsmcp
npm install
npm test
npm run build

Test with MCP Inspector:

npx @modelcontextprotocol/inspector node dist/index.js

License

MIT — see LICENSE.

Disclaimer

This software is provided as-is. It is not a medical device, does not provide medical advice, and should not be used for diagnosis or treatment. Withings exposes data that may resemble medical signals (ECG, blood pressure, body composition) — always consult qualified professionals for medical concerns.