Hybrid Integration Authentication

The Easy API uses OpenID Connect access tokens in JWT format to authorize requests. An access token can be obtained via the OAuth 2.0 Client Credentials Grant.

Please contact your account representative to receive your API credentials in the form of a CLIENT_ID and CLIENT_SECRET. The Sandbox and Production environments will each have their own separate set of API credentials.

Access tokens can be obtained from our authentication server at the following URL's:

curl --location --request POST 'https://sandbox-api.gohfd.com/auth/v0/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=Client ID' \
--data-urlencode 'client_secret=Client Secret'

curl --location --request POST 'https://sandbox-api.gohfd.com/auth/v0/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=Client ID' \
--data-urlencode 'client_secret=Client Secret'

{
  "access_token": "ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": EXPIRATION_SECONDS
}

Extract the access_token property from the response to make authorized requests to the API. The access token should be included in the Authorization header, prefixed with Bearer.

curl --location --request POST 'https://sandbox-api.gohfd.com/URL' \
--header 'Authorization: Bearer {access_token}

The access token can be used to make multiple requests until it expires. Please reuse the access token and request a new one only when the current access token has expired.

Be sure to keep your API credentials secure! They are meant to be used in server-side applications only. Do not expose your credentials in version control systems such as GitHub, in publicly accessible channels such as client-side code, or even in log messages.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.