Vital Sign-In Token is a new authentication scheme for Vital Mobile SDKs.

Documentation and migration guide for Vital Sign-In Token is available at

In a nutshell

  1. Your backend service generates a one-off Vital Sign-In Token for your mobile app user.
  2. Your mobile apps use the token to sign-in with Vital Mobile SDKs.
  3. Once signed-in, your app would authenticate to Vital API only as that specific user. The SDK would remember the sign-in session in persistent storage, until you instruct the SDK to reset.

Greater access control of your data

With Vital Sign-In Tokens:

  1. A SDK sign-in can access only API resources linked to the user.
  2. The SDK no longer requires your Vital API Key to function.

This means you can now keep your API Keys strictly a server-side secret, and therefore restrict full data access only to your internal systems.

Prepare for rate limiting

Vital is planning to roll out stricter API rate limiting in early 2024.

If you use Vital API exclusively with server-to-server traffic or the Vital Connect apps, you should prepare for 429 (Too Many Requests) responses from the Vital API as a result of rate limiting. IETF Draft compliant rate limit headers would be included in 429 (Too Many Requests) responses. Though in absence of the headers, you can fallback to the assumption that the Vital API rate limit are minute-based.

If you use Vital Mobile SDKs with API Key authentication, any Mobile SDK data push traffic competes for rate limit quota against your server-to-server traffic. Vital Sign-In Token avoids this caveat, since SDK installations would be authenticated to the Vital API as individual Vital users rather than a Vital team (API Key) and thereby enjoying a per-user rate limit.