Your health data belongs to you. Track it on your own terms.

Self-hosted health tracker. Weight, blood pressure, glucose, mood, medications.
Withings and Apple Health sync, multi-provider AI Insights you own, doctor-report PDF.

Website · Live Demo · Documentation

HealthLog is a self-hosted personal health tracker that runs from a single docker compose up. It covers the metrics most people actually log -- weight, blood pressure, pulse, body composition, blood glucose, sleep, mood, and medication compliance -- and brings them together in one dashboard with reference ranges from ESC/ESH 2018, ADA 2024, and NICE NG115. Withings devices sync automatically; an export.zip import folds your full Apple Health history into the same timeline; multi-provider AI Insights (BYOK or local) explain what the numbers mean; a doctor-report PDF generates client-side. EN/DE end-to-end. AGPL-3.0.

Status: active. New releases roughly weekly -- see CHANGELOG. Current focus: native iOS client (v1.5).

Built for people who want their health data on their own server -- whether that's a NAS, a homelab, or a small VPS -- and who don't want to hand it to a US cloud to read a 7-day weight trend. Try the live demo to see what a working install looks like, or skip to Quick Start below.

Most health apps lock your data behind proprietary clouds, push subscriptions, and sell your metrics to advertisers. HealthLog takes a different approach: your data stays on your server, encrypted at rest, accessible only to you.

Every reading walks the same five-stage pipeline. Sources (Withings webhook, an Apple Health export.zip, the iPhone HealthKit batch from the v1.5 native client, manual entry, the moodLog.app webhook) reach a small set of ingest endpoints, which dedup against the source-priority resolver before persisting into Postgres. Storage keeps two shapes — a Measurement row per sample plus pre-aggregated DAY / WEEK / MONTH MeasurementRollup buckets. Reads probe the rollups first and fall back to live SQL when the ask is too slope-heavy or the bucket is cold. Surfaces — dashboard tiles, Insights cards, the AI Coach, the doctor-report PDF — all consume the same read path, so a number on a tile is always the same number the Coach cites.

Three more diagrams cover the pieces that matter most when you're evaluating the project:

• 02-coach-pipeline.svg — how the AI Coach grounds every reply in your own data via the snapshot builder + provider chain + Zod-validated parser.
• 04-source-priority.svg — why steps logged simultaneously by Apple Watch, a Withings ScanWatch and the iPhone don't triple-count.
• 05-security-model.svg — the three concentric perimeters (auth, session, encrypted core) plus rate-limiter, audit-log and SSRF rails.

The deployment topology lives further down under Deployment.

Health Metrics -- Track weight, blood pressure, pulse, body fat, sleep, steps, blood glucose (fasting/postprandial/random/bedtime, mg/dL ↔ mmol/L), total body water, bone mass, and pulse oximetry (SpO₂) with interactive trend charts, moving averages, and traffic-light ranges based on ESC/ESH 2018, ADA 2024, and consensus pulse-oximeter guidance (NICE NG115). Body-composition + SpO₂ metrics sync automatically from Withings Body+ scales and ScanWatch devices.

Custom Thresholds -- Override the computed default ranges per metric with the targets your clinician set. Audit-logged. Doctor Report PDF prints both your target and the standard reference.

Customizable Dashboard -- Show, hide, and drag-to-reorder every widget. Per-user layout with reset-to-defaults.

Mood Logging -- 5-point scale with tags, notes, and trend analytics. Syncs automatically from moodLog.app via webhook.

Medication Compliance -- Flexible scheduling with time windows, recurrence patterns, intake logging (take/skip/snooze), and compliance heatmaps. External API for iOS Shortcuts integration.

Withings Integration -- OAuth2 device sync for scales, blood pressure monitors, and activity trackers with automatic deduplication.

Apple Health import -- Drop your iOS export.zip on the import page. A streaming parser handles multi-gigabyte archives (Zip64), folds every <Record>, <Workout>, <Correlation>, and <ClinicalRecord> into the same timeline as your other metrics, and stays idempotent on re-upload. Per-type ingestion stats plus a live status endpoint so you can watch the progress on a long historical drain.

AI Coach + Insights -- A conversational Coach grounded in your own data, a daily briefing, a weekly report, and a Health Score tile on the dashboard. Pick OpenAI, Anthropic Claude, or any OpenAI-compatible local endpoint (Ollama, LM Studio, vLLM). BYOK or admin-shared. Every claim links back to the measurements that produced it. Local endpoints keep all data on your network.

Doctor Report PDF Export -- Generate professional medical reports client-side. Locale-aware (English/German), with vital sign summaries, BP/BMI/glucose classification, compliance rates, custom-threshold badges, and optional AI analysis.

Built-in Feedback -- Send bug reports and feature requests from inside the app. Stored in your HealthLog database — no GitHub config required. Optional GitHub escalation for admins.

PWA with Offline Support -- Installable on iOS and Android. Service worker with intelligent caching strategies for reliable offline access.

Multi-Channel Notifications -- Telegram (with inline action buttons), ntfy (self-hostable), and Web Push. Medication reminders with late/missed escalation.

Gamification -- 38+ persistent achievements across intake streaks, compliance milestones, and healthy metric streaks.

Internationalization -- English (default) and German UI with 1500+ translation keys, guarded by a CI integrity test that fails the build on duplicate keys or drift between locales. Numbers, dates, units, and AI prompts all locale-aware via useFormatters(). Browser-based detection with per-user override.

Multi-tenant ready (v1.4) — Off-host AES-GCM-encrypted weekly backups to any S3-compatible bucket (R2, B2, MinIO, AWS), encryption-key versioning + zero-downtime rotation CLI, optional HEALTHLOG_PROCESS_TYPE=web|worker|all so HTTP and pg-boss can scale independently, and short-lived 24h access tokens with refresh-token rotation for native API clients. The browser cookie session is unchanged.

Test connection buttons (v1.4) — One-click probes for Withings, moodLog.app, Web Push, Glitchtip, and Umami in addition to the existing AI / Telegram / ntfy tests. Each one rate-limited, sanitised against SSRF redirects, and surfaces a localisable errorCode so the UI can render the failure in the user's language.

3 minutes from git clone to a working install. The bundled docker-compose.yml pulls a pre-built multi-arch image (linux/amd64 + linux/arm64) from GitHub Container Registry; no build step required for self-hosters. Contributors who want to test local changes can docker compose up --build.

git clone https://github.com/MBombeck/HealthLog.git
cd HealthLog
cp .env.example .env

Generate the three required secrets and paste them into .env:

echo "POSTGRES_PASSWORD=$(openssl rand -base64 24)" >> .env
echo "ENCRYPTION_KEY=$(openssl rand -hex 32)"       >> .env
echo "API_TOKEN_HMAC_KEY=$(openssl rand -hex 32)"   >> .env

Then bring the stack up:

docker compose up -d

Open http://localhost:3000. The first registered user becomes admin.

Behind a reverse proxy (Caddy / Traefik / Nginx) for TLS, set NEXT_PUBLIC_APP_URL and APP_URL to your public URL in .env before starting. See Self-Hosting → Reverse Proxy for examples.

HealthLog is designed for people who take data ownership seriously.

• Self-hosted -- Your data never leaves your server. No telemetry, no third-party tracking.
• AES-256-GCM encryption -- All stored secrets (OAuth tokens, API keys, VAPID keys) are encrypted at rest.
• Passkey authentication -- WebAuthn as primary auth with password fallback (Argon2id + zxcvbn strength validation).
• Server-side sessions -- PostgreSQL-backed with 30-day sliding expiry, HttpOnly/SameSite=Strict cookies.
• Security headers -- CSP with nonces, HSTS, X-Frame-Options DENY, Permissions-Policy, Referrer-Policy.
• Rate limiting -- Sliding window on auth and API endpoints.
• HMAC-SHA256 API tokens -- Bearer tokens are hashed before storage.
• Audit logging -- All sensitive operations tracked with IP addresses.

Telegram bot token, ntfy settings, Web Push VAPID keys, Umami, and GlitchTip URLs are configured in the Admin Panel and stored encrypted in the database.

src/
├── app/                    # Next.js App Router pages & API routes
│   ├── api/                # REST API endpoints (100+ route files)
│   ├── admin/              # Admin panel
│   ├── auth/               # Login, register, passkey enrolment
│   ├── medications/        # Medication management
│   ├── measurements/       # Health metric entry
│   ├── mood/               # Mood log
│   ├── insights/           # AI-powered analytics
│   ├── charts/             # Long-form charts
│   ├── achievements/       # Gamification page
│   ├── targets/            # Custom thresholds dashboard
│   ├── notifications/      # Notification preferences matrix
│   ├── bugreport/          # Built-in feedback / bug report
│   ├── onboarding/         # 4-step guided setup
│   └── settings/           # User preferences (8 top-level sections)
├── components/
│   ├── ui/                 # shadcn/ui primitives
│   ├── layout/             # Shell (sidebar, topbar, bottom nav)
│   ├── medications/        # Medication cards, forms, timeline
│   ├── measurements/       # Measurement form, list
│   ├── mood/               # Mood form, mood list
│   ├── charts/             # Recharts wrappers
│   ├── insights/           # AI insight status / advisor cards
│   ├── gamification/       # Achievement cards, progress
│   ├── monitoring/         # Umami / GlitchTip bootstrap
│   └── settings/           # Settings-page section components
├── lib/
│   ├── auth/               # Session, audit, passkey logic
│   ├── notifications/      # Dispatcher + channel senders
│   ├── jobs/               # pg-boss worker (reminders, insights, backups)
│   ├── analytics/          # Trend calculations, compliance, correlations
│   ├── ai/                 # Multi-provider client (OpenAI, Anthropic, local)
│   ├── insights/           # Insight pipeline + medical prompts
│   ├── gamification/       # Achievement definitions
│   ├── feedback/           # Built-in feedback + GitHub escalation
│   ├── moodlog/            # moodLog.app webhook + sync
│   ├── monitoring/         # Umami / GlitchTip server-side hooks
│   ├── withings/           # OAuth client, sync service
│   ├── logging/            # Wide Events: builder, context, transports
│   ├── i18n/               # Translations context & config
│   ├── validations/        # Shared Zod schemas
│   ├── api-handler.ts      # apiHandler wrapper, requireAuth/requireAdmin
│   ├── api-response.ts     # { data, error } envelope helpers
│   ├── crypto.ts           # AES-256-GCM encrypt/decrypt
│   ├── rate-limit.ts       # Sliding-window rate limiter
│   ├── db.ts               # Prisma singleton
│   └── doctor-report-pdf.ts # Client-side PDF generation
├── hooks/                  # React hooks
└── generated/prisma/       # Generated Prisma client

• RSC by default -- "use client" only for interactive components
• API envelope -- All responses follow { data, error } shape via apiSuccess() / apiError() in src/lib/api-response.ts
• apiHandler wrapper -- Every API route wraps its handler in apiHandler() (src/lib/api-handler.ts) for consistent error handling, Wide-Event structured logging, and x-request-id propagation
• Encrypted secrets -- Withings tokens, API keys, VAPID keys, notification credentials
• Timezone-aware -- Europe/Berlin for display, UTC in database
• Route protection -- proxy.ts (Next.js 16's renamed middleware) checks session cookie, redirects unauthenticated requests
• Client-side PDF -- Doctor reports generated in browser via jsPDF

All mutations require authentication via session cookie. External ingest uses Bearer tokens. A machine-readable OpenAPI 3.1 spec for the iOS-locked native subset lives at docs/api/openapi.yaml — the source of truth for any client codegen (Swift / Kotlin / OpenAPI Generator).

# Prerequisites: Node.js 20+, pnpm, PostgreSQL

cp .env.example .env
pnpm install
pnpm db:generate
pnpm db:migrate
pnpm dev

pnpm dev              # Development server
pnpm build            # Production build
pnpm lint             # ESLint
pnpm typecheck        # TypeScript strict check
pnpm test             # Vitest
pnpm format           # Prettier

pnpm db:generate      # Generate Prisma client
pnpm db:migrate       # Create & apply migration
pnpm db:migrate:deploy # Apply migrations (production)
pnpm db:studio        # Prisma Studio GUI

The included docker-compose.yml runs the app and PostgreSQL. The entrypoint automatically waits for the database, runs pending migrations, and starts the server.

The app listens on port 3000. Place it behind Nginx, Caddy, or Traefik for TLS termination. Works out of the box with Coolify.

For a single-process default the same container hosts both the web and worker (HEALTHLOG_PROCESS_TYPE=all, the default). Split them via HEALTHLOG_PROCESS_TYPE=web and HEALTHLOG_PROCESS_TYPE=worker for horizontal scale. Off-host AES-GCM weekly backups to any S3-compatible bucket (R2, B2, MinIO, AWS) are opt-in via the admin panel. See docs/self-hosting/ and docs/ops/ for the full operator manual.

The detailed changelog lives in CHANGELOG.md; per-release audit summaries live under docs/audit/.

Contributions are welcome. See CONTRIBUTING.md for guidelines.

• Code style: pnpm format && pnpm lint
• Type safety: pnpm typecheck must pass
• Tests: pnpm test
• UI language: English by default, German selectable per user. Code, comments, and commits: English.

HealthLog is licensed under the GNU Affero General Public License v3.0.

healthlog.dev · Live Demo · Docs