oAuth - Security for Authentication of APIs Calls

Medfusion uses the latest in open authorization protocols – oAuth 2.0.  There are three core steps to the process, outlined below.

STEP 1: Obtaining the Client Id and Client Secret

    • Method Type: GET
    • Endpoint: https://<server>/v1/oauth2/oauthapplication/<apptoken>

Accept: application/json

Sample Response:
{“applicationName” : “MyTest2App”, “grantTypes” : [], “clientId” : “79DGIWN934UJGHWKJERIGU”, “clientSecret” : “97FGHKJNW99GUJH24JKNdue”, “oauthVersion” : “O_AUTH_2_0″}

ACTION – Store the client Id and client secret in a secure place for use in Step 2.

STEP 2: Obtaining the Access token

Using the client Id and client secret from Step 1, do the following to obtain the access token;

    • Method Type: POST
    • Endpoint: https://<server>/v1/oauth2/token

Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic <clientId>:<clientSecret>

Sample Body:

Sample Response:
{“tokenType” : “BEARER” , “expiresIn” : 1551833, “refreshToken” : “978a9odgklh2ihng9irhgks0082″, “accessToken” : “545432458745ahsidfh2weubgiw”, “accessTokenSecret” : null}

  • tokenType = The token type to be used along with Access Token in the Authorization Header.  Will always be “BEARER”
  • expiresIn = The time in seconds of when the Access Token will expire and a new token is required.  Will be a default value of 2 hours.
  • refreshToken = Can be used to get a new access token without passing credentials again.  Will be a null value and is not used.
  • accessToken = The access token is a string that the OAuth client uses to make requests to the resource server. Use in conjunction with token type for the Authorization Header.
  • accessTokenSecret = Access Token is used and no secret will be supplied by default the value is null.

ACTION– Store the access token in a secure location (you will need to get a new access token every 2 hours or once it expires)

STEP 3: Making Authenticated API Calls

Using the access token from Step 2, create the following header for all API calls made to Medfusion:

Authorization: Bearer <accessToken>


oAuth Workflow