API authentication

Step 1: Retrieve bearer token

API authentication takes place by requesting a bearer token from the WMDA Azure AD. This is performed by performing an API call to the Microsoft AD. There are client libraries available for many different platforms. You can find those here: 
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries

A CURL command would be: 

curl --location --request POST 'https://login.microsoftonline.com/c3ab1869-1472-4577-b669-0d64c732e75c/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<YOURCLIENTID>' \
--data-urlencode 'client_secret=<YOURCLIENTSECRET>' \
--data-urlencode 'resource=<RESOURCE_ID_FOR_APPLICATION_YOU_WANT_TO_ACCESS>'

Below is a list of resource ID's for applications that use this authentication method: 

Search and Match V2 (launched 4 July 2022): 

tenant: c3ab1869-1472-4577-b669-0d64c732e75c
resource (sandbox Patient and search API): f6d78a69-c840-46a2-941b-a0e08f9296e7
resource (production Patient and search API): 5df05a6d-8ef0-49fe-9441-62cd9b540376

Match-Connect

tenant: c3ab1869-1472-4577-b669-0d64c732e75c
resource (sandbox connect API): fd05059b-9c9e-443c-a7e7-bc4ddfe29f5c
resource (production Connect API): 00f6f281-2c36-45a4-97ae-79d745265090

Data Manager (previously known as "Dataupload")

tenant: c3ab1869-1472-4577-b669-0d64c732e75c
resource (sandbox data manager API): 4ff9e943-41d7-4430-b1cf-5502b9440601
resource (production data manager API): 577a3074-a64c-44e5-b394-bf40eb53413a

You will then receive the following: 

{
    "token_type": "Bearer",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1642763674",
    "not_before": "1642759774",
    "resource": "1da84816-4337-44d3-a782-b6abebaf6710",
    "access_token": "<Obfuscated for clarity and security>"
}

PLEASE NOTE:

• Different environments use a different "resource". This means that when you request a token for "f6d78a69-c840-46a2-941b-a0e08f9296e7" you will only be able to use this for the SANDBOX patient and search API. If you use it on another resource (e.g. production patient and search API) you will receive a 403 Unauthorised response back. 
• As stated in the response body, when requesting the JWT/bearer token/access token, the token will expire in 1 hour (3600 seconds). Please make sure you request a new token when the current token is about to expire. 

Depending on your access level, your "access_token"/ JWT contains the relevant information to indicate you have access to certain applications. The fact that you can get an access_token/JWT does NOT necessarily mean that you can you the relevant API endpoints. Whether or not you are allowed to access certain applications and endpoints is determined by settings made by WMDA IT. Please contact support@wmda.info if you believe you do not have the correct level of access. 

NOTE: the Connect API is only allowed for registries with an ION that fulfil the necessary requirements such as having diff upload to dataupload.wmda.info and a successful implementation of the relevant patient and search API endpoints.  

You can find documentation and a Postman collection with the relevant call here: 

https://documenter.getpostman.com/view/7271683/UVXomZD2

Click "run in postman" if you want to run it in your local postman install or on the web. 

Step 2: Authenticating with WMDA APIs

The bearer token retrieved in the previous step can then be used to authenticate future requests to the WMDA API.  You do this by adding an "authorization" header with the following content: 

Bearer <access token>