# Implementation (Terra widget) ## 1. Make an API Request Make an API Request to the [`/auth/generateWidgetSession`](/reference/health-and-fitness-api/readme.md#post-auth-generatewidgetsession) endpoint from your backend. {% code title="Command Line" %} ```bash curl --request POST --url https://api.tryterra.co/v2/auth/generateWidgetSession \ --header 'dev-id: ' \ --header 'x-api-key: \ --header 'Content-Type: application/json' \ --data '{ "language": "en", "reference_id": "my_first_connection", "auth_success_redirect_url": "text", "auth_failure_redirect_url": "text", }' ``` {% endcode %} {% hint style="info" %} **Pro** **tip**: Use `reference_id` in your request Body to pass in your own end user's ID on your system. This will simplify reconciling the Terra [User](/reference/health-and-fitness-api/core-concepts.md#user) with your end user. {% endhint %} *** ## 2. Parse the Widget URL from the JSON Response The endpoint will generate a **widget url** in the response. Retrieve it by parsing `"url"` . {% code title="JSON" lineNumbers="true" %} ```json { "session_id": "23dc2540-7139-44c6-8158-f81196e2cf2e", "url": "https://widget.tryterra.co/session/344d475f-296a-489a-a88c-54183671dafd", "status": "success", "expires_in": 900 } ``` {% endcode %} *** ## 3. Open The Widget URL Pass the retrieved `"url"` to your client side, and open it either in: * an **in-app browser**, if using a mobile app, * or a **new tab,** if using a web app This will take your [end user](/reference/health-and-fitness-api/core-concepts.md#end-user) to the provider selection screen, the Terra authentication widget.

**Device** Selection screen
(Terra authentication widget)

{% hint style="info" %} The permissions list can be [customised through your Terra Dashboard](/health-and-fitness-api/integration-setup/customising-data-types.md) {% endhint %} You can find a list of all your **authenticated** **users** in: * Your [Terra Dashboard > Users](https://dashboard.tryterra.co/dashboard/users) * Or by using [the /subscriptions endpoints](https://docs.tryterra.co/reference/) *** ## ❌ Common Mistakes {% hint style="danger" %} ### Common Mistakes and Best Practices * Do not expose your API credentials. Instead, always call the [`/auth`](https://docs.tryterra.co/reference/) endpoints from your **backend.** * Do not call the API from your **frontend**, as this will lead to a **CORS error.** * Do not use **WebView** or **iFrame** for the authentication flow. Using them poses security risks due to the invisible URL bar, meaning that the user cannot know the domain onto which they are entering their username & password. Providers may completely block authentication leading to an error during the flow. Instead, use a **new tab** or an **in-app browser** to open the URL returned by the `/auth` endpoints. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tryterra.co/health-and-fitness-api/user-authentication/implementation-terra-widget.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.