The PainChek API uses a token-based approach to secure access to the API.
In order to start accessing the API, you must first obtain a token. To do that, you'll need:
a) Client ID, and
b) Client Secret
Together, these grants access to the PainChek API. PainChek support staff can set these credentials up for you or the PainChek Portal can also be used to self-manage API access.
Obtaining a Token
A token is obtaining by posting a request to the "integration/auth" endpoint of the PainChek API:
-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
-X POST https://ua.ap.painchek.com/api/integration/auth/ \
-d client_id="client1" \
If the client details and the user credentials are valid, an access token (and other details) are returned:
You can see that an access token ("n7wzioQY1u1jydOII8sNNxLukT4wXx") granting read and write access was returned.
Access tokens are the (relatively) short-lived tokens that allow access to the API. No other form of credential is needed to use the token.
The token gets passed in the Header of the request to the PainChek API e.g.:
-H "Authorization: Bearer n7wzioQY1u1jydOII8sNNxLukT4wXx"
In this example, all of the patients in the PainChek database will be returned.
Given that access tokens provide access to PainChek, they should be treated with care. However, they do time expire and so that if a token is compromised, the risk exposure is limited.
Access tokens expire after a period of time.
The expiry period is returned when the token is created in the "expires_in" field. That field contains the number of seconds that the token will be valid for.
If the process using the token is long-running, then you will need to fetch a new token periodically.