Security and Authorization v2
This documentation is primarily intended to describe how to use the platform's standard security API to request an access token that can be used to access other APIs on the platform. The downloadable specification reflects this implementation.
This version of the API is more fully compliant with the conventions defined in the oAuth 2.0 specification. For example, consumers will note that the token name in this version is access_token
, rather than accessToken
, as in v1.
Certain legacy APIs exposed through this platform utilize a legacy Authorization implementation described at the bottom of this summary. Review the Change Log to determine whether a given API uses the standard or legacy Authorization mechanism.
Access Control via Web Tokens
All Optum APIs on this platform are secured using JSON Web Tokens (JWT).
Security via TLS
All calls to Optum APIs are encrypted over HTTPS. Our APIs support connections using TLS version 1.2 or higher.
Authorization via OAuth2
Access to Optum APIs is controlled via OAuth2 using the client credentials grant. This is a secure authorization workflow that allows consumers to obtain a short-lived (one hour) access token that must be transmitted with subsequent API requests.
To obtain a token, consumers first need a client_id
and client_secret
, credentials provided during the customer onboarding process. To request access credentials, please use the 'Request Sandbox Access' link or the 'Contact Us' link to contact the Product Manager of a specific API.
Obtaining an access token
The following documentation describes how to get an access token in a particular environment. Note that Your-ClientId
and Your-ClientSecret
should be replaced with a valid set of credentials. Also note that the URL is environment-specific and may need to be modified according to the target environment.
curl -X POST \
https://${EDGE_HOSTNAME}${api_basepath} \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=<Your-ClientId>&client_secret=<Your-ClientSecret>&grant_type=client_credentials'
A successful call to this API will return a new access_token
, which can be used to authorize subsequent calls to other APIs on the platform. By default, the access_token
will be valid for one hour from the time of its issuance.
Example response:
{
"access_token": "eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYW...",
"token_type": "bearer",
"expires_in": 3600
}
The access token returned in the above response can be used to access APIs on this platform that are secured via the standard Authorization implementation. Calls to these APIs must include the following headers:
Content-Type: application/json
Authorization: Bearer <Your-Access-Token>
Legacy Authorization
For more information about the legacy implementation of the Authorization APIs, please refer to the documentation for version 1 of this API.
Attachments
rfc6749-oAuth_specification.pdfChange Log | FAQ |
---|---|
View our Change Log/Release Notes for more information on this API | View our Frequently Asked Questions for more information on this API |