Authentication to the First AML API is via OAuth2/OpenID. Currently only the client credentials flow is supported, but we may introduce support for other OAuth2 flows in the future. OAuth2 works by allowing an API client to make a request to a token endpoint, to exchange credentials for a short-lived token (known as a bearer token) which is then used to secure each subsequent request to the API.
At your request we will configure an API client and share the credentials securely with your team. The credentials consist of an Client ID and Client Secret. You can at any time request the client Secret is rotated, at which point our team can rotate and securely share a new Client Secret value with your team (if for instance you are required to do so for compliance reasons, or have reason to suspect the Client Secret has been leaked).
Scopes
All operations performed in the API will check to ensure:
- The API client has access to the organization’s data.
- The API client has the necessary scope (permission) to perform the operation.
Currently the Public API has two scopes available for securing API requests. When setting up an API client you can elect to provision the client with one or more of the following scopes:
| Name | Description |
|---|---|
| case-management | Scope created to call any case related mutation (update). |
| read-only | Scope required to be able to retrieve any information about a case. |
In the future we will introduce more granular scopes (the above scopes will remain available) to allow further restriction to what an API client is able to do, to ensure customers can build integrations from a 'least privilege' perspective.
