ROOK Connect prerequisites
Integrating ROOK Connect requires specific resources. The primary requirement is a backend infrastructure capable of receiving and processing webhooks. Depending on the selected data sources, frontend or mobile engineering teams may also be required to handle user authorization and SDK implementation.
To successfully integrate our platform, the client must allocate engineering resources based on the specific architecture of the application. This section outlines the technical requirements and the recommended baseline architecture to ensure a stable, scalable integration.
Engineering team requirements
Backend engineering
The backend team is responsible for the core data pipeline. Their scope includes:
- Data ingestion: Build a secure, public API endpoint to receive health data payloads delivered by our webhooks.
- Data storage and processing: Implement secure database schemas to store the incoming data. The team must ensure the logic handles data updates efficiently.
- Client API development: Build internal APIs to serve the processed health data securely to the end-user applications.
Frontend engineering (Optional)
If the application requires a custom web experience, frontend resources are needed for:
- Custom connection pages: Build a user-facing authorization interface that allows users to grant access to their health data while maintaining the brand's native look and feel.
- Data visualization: Develop dashboards or user interfaces to present the aggregated health metrics clearly and actionably to the end-user.
Mobile engineering
Our platform integrates with two types of data sources: API-based and SDK mobile-based. If the project scope includes mobile-centric sources (such as Apple Health, Samsung health or Health Connect), the team must choose between two implementation paths:
- Custom mobile application: The mobile engineering team must integrate our iOS and Android SDKs into the client application.
- ROOK Extraction App: Alternatively, the organization can utilize our pre-built Extraction APP, a ready-to-use solution that collects device data without requiring custom mobile development.
Data source and testing prerequisites
Before initiating the technical implementation in the sandbox environment, the testing scenarios must be properly staged:
- Acquire test hardware: Procure physical wearable devices or active test accounts for the specific data sources defined in the project scope.
- Ensure pre-existing data: Test users must have historical health data available in their provider accounts. Our platform allows the extraction of historical data, and validating this initial sync is a critical pre-production step to ensure the backend processes large payloads correctly.
- JSON simulator: Similarly, ROOK provides a useful tool for testing when health data is not immediately available. Generic JSON files can be generated to accelerate testing through the ROOK portal.
Recommended integration architecture
A robust, production-ready architecture follows a linear data flow separating data ingestion from client consumption:
- Ingestion layer: The client backend exposes a webhook endpoint to receive data events from our servers.
- Storage layer: The backend securely stores the JSON payloads. During this step, the system must validate the
document_versionanddatetimefields to ensure data integrity and prevent the processing of duplicate events. - Consumption layer: The backend serves the structured data to the client's web or mobile applications via internal APIs.
- Authorization layer: The frontend or mobile application implements our SDKs or redirects users to the ROOK Extraction APP to facilitate secure device connection and user consent.
By adhering to this architectural pattern and ensuring the required engineering capabilities are in place, the integration timeline is significantly reduced, minimizing technical friction before reaching production.
Security Policies (WAF)
All ROOK API requests are now protected by AWS Web Application Firewall (WAF) rules. Requests that do not comply with these requirements will be blocked with HTTP 403 Forbidden.
Required Headers
All API requests must include the following headers:
User-Agent (MANDATORY)
- Header:
User-Agent - Required: ✅ YES - This is now MANDATORY
- Description: Identifies the client application making the request
- Example:
User-Agent: MyApp/1.0.0 - Error if missing:
HTTP 403 Forbidden - Request blocked by WAF
Content-Type (for POST/PUT requests)
- Header:
Content-Type: application/json - Required: ✅ YES for requests with request body
- Example:
Content-Type: application/json
Authorization
- Header:
Authorization: Bearer <token>or your API key method - Required: ✅ YES for all authenticated endpoints
- Example:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Parameter Restrictions
The following values and patterns are NOT allowed in any parameters:
Prohibited Values
localhostin any parameter value127.0.0.1or other local IP addresses (192.168.x.x, 10.x.x.x)- SQL injection patterns (
SELECT,DROP,INSERT,UNION, etc.) - Script tags or JavaScript code (
<script>,javascript:, etc.) - Path traversal patterns (
../,..\\,%2e%2e%2f) - Command injection patterns (
|,;,&&,||) - File inclusion patterns (
file://,php://, etc.)
Examples
- Invalid requests
- Valid requests
// ❌ This will be BLOCKED by WAF
{
"callback_url": "http://localhost:3000/webhook",
"redirect_uri": "http://127.0.0.1/callback"
}
// ❌ This will be BLOCKED by WAF
{
"user_query": "'; DROP TABLE users; --"
}
// ❌ This will be BLOCKED by WAF
{
"description": "<script>alert('xss')</script>"
}
// ✅ This is ALLOWED
{
"callback_url": "https://myapp.com/webhook",
"redirect_uri": "https://mycompany.com/callback"
}
// ✅ This is ALLOWED
{
"user_query": "health data from 2023-01-01"
}
// ✅ This is ALLOWED
{
"description": "Patient health metrics summary"
}