Ga naar hoofdinhoud

API Authentication

The REST API supports two authentication schemes. Access to the API is controlled by API tokens in RoQua-Admin. When opting for JWT tokens, please provide us with your public key so we can hook it to the API token.

JWT tokens

JWT tokens can be used for the REST API (and in the GraphQL API to-be).

These must be sent in an Authorization: Bearer <TOKEN_HERE> header.

JWT Header:

headercontent
typ(required) JWT
alg(required) RS256 or RS512
kid(required) The consumer_key as given when uploading the public key into the RoQua Admin

Payload claims:

FieldContent
iss(required) The issuer of the token, e.g. roqua-rom-prod or a third-party like mconsole.
aud(required) Audience. Must be api (to discern between API and a future use in SSO logins).
iat(required) Timestamp when this JWT was generated
exp(required) Timestamp when this JWT should be considered expired and be rejected (required, roqua imposes a maximum of 1 hour which is also the default)
nbf(optional) Do not consider this JWT to be valid before this timestamp.
sub(optional) The dossier ID (required to perform dossier-related actions)

Note that the sub claim is optional in some cases, but not in all. Trying to access dossier-specific resources without it will result in an authorization error.

HTTP Basic

Authentication for /api and /fhir/$graphql is done by HTTP Basic authentication over SSL.

Through /admin/api_tokens/new (manual) you can create an api_token. The provided consumer_key is used as the username and the returned consumer_secret is used as the password for HTTP Basic authentication.

When creating a right you can specify which endpoints it gives access to and allows you to specify the ip's that can access the api with that token.