The HealthKite MCP LAN server exposes read-only HTTP/1.1 JSON endpoints inside an authenticated TLS-PSK connection. MCP clients normally access these endpoints through healthkite-mcp, which discovers the iPhone with Bonjour/mDNS and opens the TLS-PSK channel.

Addressing

Users do not copy an IP address. HealthKite MCP advertises a DNS-SD service: 
<derived-instance>._healthkite-mcp._tcp.local.
The instance label is derived from the Pairing Secret, and the SRV record carries the current host/port. Default port is 8080, configurable in Settings.

Endpoints

MethodPathPurpose
GET/Status snapshot
GET/workoutsPaginated workout summaries
GET/workouts/{uuid}Full columnar workout detail
GET/quantity-typesCatalog of standalone HealthKit quantity types
GET/quantity/{type}Standalone quantity series, columnar
GET/sleepReconciled nightly sleep sessions
GET/day-snapshot/{date}Single-day overview (matches iOS Day view numbers)
Any other method on these paths returns 405 Method Not Allowed with Allow: GET. Unknown paths return 404 Not Found.

Response shapes

All responses share three conventions:
  • HealthKit-native field names. No invented vocabulary. See Wire format.
  • sampleEncoding: "columnar-v1" — discriminator at the top of any response containing sample series. Future versions bump the suffix.
  • sources array + src indices — provenance is hoisted. See Provenance hoisting.

Errors

HTTP/1.1 400 Bad Request
{"error": "bad_request"}

HTTP/1.1 404 Not Found
{"error": "not_found"}

HTTP/1.1 405 Method Not Allowed
{"error": "method_not_allowed"}

HTTP/1.1 500 Internal Server Error
{"error": "server_error"}
Authentication failures usually happen before HTTP, during discovery or TLS-PSK handshake. In MCP, these surface as Unauthorized or Unreachable tool errors. Query parameters are forgiving: bad limit/offset values clamp to defaults. Path parameters like /workouts/{uuid} or /day-snapshot/{date} do enforce shape (a malformed UUID won’t match anything; a malformed date returns 400 bad_date).