Authentication

You'll need to authenticate your requests to access any of the endpoints in the Atticus API. In this guide, we'll look at how authentication works. Atticus offers two ways to authenticate your API requests: Basic authentication and OAuth2 with a token. If requests must be performed as a specific end-user, an extra header is needed to identify that user. This is the X-User-Id header. This header is used to identify the user in the context of the session. This header is only needed when the session is created in the background.

Basic authentication (API key)

With basic authentication, you use an API key (a base64 encoded version of client_id:client_secret) to authenticate your HTTPS requests. Here's how to authenticate using cURL:

curl https://reports.tiro.health/fhir/r5/Patient \
  -u client_id:client_secret \
  --basic

End-user identification in machine-to-machine communication

Some endpoints need a user to be identified. This is done by adding the X-User-Id header to the request. This header is used to identify the user (a Practitioner FHIR terms) in the context of the session.

curl https://reports.tiro.health/fhir/r5/Patient \
  -u client_id:client_secret \
  --basic \
  -H "X-User-Id: http://myhospital.org/clincal-staff/user-ids|123"

The notation used for the X-User-Id header is an identifier token. An identifier is a common used concept in FHIR to identify practitioners, patients and other entities. More information about identifiers in the Atticus FHIR API can be found in the FHIR tips. The identifier used needs to match with an identifier passed as part of a POST Practitioner request. In headers we need a special notation to combine the system and the value of the identifier in a single string. The convention is to concatenate the system and the value with a pipe |. The system is a URI that identifies the system that the identifier comes from. The value is the actual identifier value.

OAuth2 with a token

To be documented