Overview

Authentication starts with registering as a Tenant and getting an API token. The OneRecord API JSON Web Tokens (JWT) are used as a means to supply metadata necessary for API services to locate resources used during a service transaction, in other words, it validates your system calling our system and allows the transaction to move forward. For more information on Tenants and other configuration concepts please see Configuration Concepts

Getting a Token

Generating a JSON Web Token (JWT) token is done internally by the OneRecord team through the Tenant Service which supports OneRecord API client configuration. OneRecord’s team will generate tokens for clients during registration of the Tenant, its Organization and Devices or any time new devices are added to the API system for a Tenant.

The value in can now be used by the client application in the Header of REST API calls as:

Authorization: Bearer

This is a non-expiring token so there’s no need to regenerate this token unless the id of the device, the signing key configured in the tenant, or the client certificate thumbprint change. Token based authentication is used for non-production access. For production access, we will issue you both a certificate and a token. For additional information on receiving a production level certificate please see Certification.

How are Certificates Used

In production environments (pre-prod and prod), we use certificates to further secure the connection. An environment specific API JWT token continues to be used for client authentication. In addition, certificate exchange with mutual authentication using TLS v1.2 will be required. All REST calls will require both forms of authentication for the highest level of security and complete end-to-end data protection.

Self signed certificates are not accepted for authentication on our production environments. Client certificates need to be issued by a valid known certificate authority. We will need to know the certificate chain including intermediate certificates so that they can be loaded into our trust store if they are not already present. In addition we will need the thumbprint of the client certificate so that we can set up the tenant with certificate authentication.