🔒

Authentication

To use the FibriCheck API, there are two levels of authentication:
  • Application authentication: your application needs to have credentials to communicate with FibriCheck
  • User authentication: the end user needs to have proper credentials to authenticate against FibriCheck
FibriCheck supports OAuth 1.0 and OAuth 2.0 mechanisms for authentication and authorization of users.

Authentication via OAuth 1.0

When using OAuth 1.0, you need to add 2 sets of credentials to each request to the FibriCheck API:
  • The Consumer Key and Consumer Secret, identify the application and are always required. We provide these credentials to you.
  • The Access Token and Token Secret identify the user and are always required except for the user registration and authentication call. The authentication call that exchanges a e-mail/password combination for an Access Token and Token Secret is described below.
Keep in mind that an access token and token secret must always be used with the consumer key/secret they were generated with.
The remainder of this page discusses how to authenticate existing users, take a look here to learn more about registering new users.

SDK

Flutter
React Native
import 'package:flutter_fibricheck_sdk/flutter_fibricheck_sdk.dart';
​
// In this example we use the localstorage as a storage option for the credentials.
// Other packages or persistent storage methods can be used as well.
// More information: https://pub.dev/packages/localstorage
_storage = new LocalStorage('my_app');
​
_sdk = FLFibriCheckSdk.client("{consumerKey}", "{consumerSecret}");
​
void onConsentNeeded(List<Consent> documentsToSign) {
for (var document in documentsToSign) {
{
// 1. Request approval from the user
​
// 2. Pass the document back to the sdk
_sdk.giveConsent(document);
}
}
}
​
var res = await _sdk.authenticateWithEmail(
ParamsOauth1WithEmail(email: "{userEmail}", password: "{userPassword}"),
(consents) {
_onConsentNeeded(consents);
},
);
//save token
storage.setItem('token', res.token);
//save token secret
storage.setItem('tokenSecret', res.tokenSecret);
The tokenData information can be used to authenticate the user for subsequent API calls.
​
var res = await _sdk.authenticateWithToken(
ParamsOauth1WithToken(token: storage.getItem('token'), tokenSecret: storage.getItem('tokenSecret')), (consents) {
_onConsentNeeded(consents);
},)
In the following example we use @react-native-async-storage/async-storage to store the credentials. You are free to use any other storage option in your application.
import AsyncStorage from '@react-native-async-storage/async-storage';
​
(async () => {
const sdk = client({
consumerKey: '',
consumerSecret: '',
});
// Function that handles required consents
const onConsentNeeded = (legalDocumentsUpdated: Consent[]) => {
legalDocumentsUpdated.forEach((document) => {
// 1. Request approval from the user
​
// 2. Pass the document back to the sdk
sdk.giveConsent(document);
});
};
​
const tokenData = await sdk.authenticate({
email: '',
password: '',
}, onConsentNeeded);
​
AsyncStorage.setItem('tokenData', JSON.stringify(tokenData));
})();
The tokenData information can be used to authenticate the user for subsequent API calls.
import AsyncStorage from '@react-native-async-storage/async-storage';
(async () => {
const tokenDataString = await AsyncStorage.getItem('tokenData');
const tokenData = JSON.parse(tokenDataString);
​
await sdk.authenticate({
token: tokenData.key,
tokenSecret: tokenData.secret,
});
})();

REST API

post
https://api.fibricheck.com
/auth/v2/oauth1/tokens
Authenticate using OAuth 1.0
To implement the OAuth 1 protocol, additional parameters such as a request signature and nonce need to be added to the request. The FibriCheck Postman workspace contains an example request to authenticate successfully.
Also, libraries exist for each platform that facilitates performing OAuth 1.0 requests, for example node-oauth in the Node.JS ecosystem.
FibriCheck processes your user's medical data. Each user must consent to the FibriCheck privacy policy and terms of use before interacting with the API.
The Cloud SDK methods automatically check if consents are needed and require a onConsentNeeded callback function as a parameter. This function will be called when legal documents have been updated in the FibriCheck cloud which the end-user needs to reapprove. In case you are using the REST API endpoints, we require you to implement these checks manually.
In case you are using the REST API endpoints, we strongly advise to implement these checks as well.
It's important to perform this check at regular times when the user uses your application, as documents might have been updated.
To check for which documents a user needs to give consent, follow these steps:
  1. 1.
    Query the general configuration endpoint to get the latest document version and associated document URL's
  2. 2.
    Query the user configuration endpoint to get the latest consent given by the user
  3. 3.
    Compare the information from step 1 and 2

Query the general configuration endpoint

get
https://api.fibricheck.com
/configurations/v2/general
Get the general configuration object
From the general configuration endpoint, the following elements are relevant for consent management:
  • data.documents: available FibriCheck-related documents with their URL and latest version.
{
"data": {
"documents": {
"privacy_policy": {
"url": "https://pages.dev.fibricheck.com/privacy-policy/1.6.0/",
"version": "1.6.0",
"requiredFor": "all"
},
"terms_of_use": {
"url": "https://pages.dev.fibricheck.com/terms-of-use/1.5.0/",
"version": "1.5.0",
"requiredFor": "all"
}
}
}
}
The url points to a webpage where the latest version of the document can be found.
The version is in semver format.

Query the user configuration endpoint

get
https://api.fibricheck.com
/configurations/v2/users/{userId}
Get the user-specific configuration object
From the user-specific configuration endpoint, following elements are relevant for consent management:
  • data.documents: contains information about the documents that the user previously signed.
{
"data": {
"documents": {
"privacy_policy": {
"v1_3_0": {
"timestamp": "2018-06-11T16:42:47.554+0200"
},
"terms_of_use": {
"v1_5_0": {
"timestamp": "2020-10-26T11:31:03.000Z"
}
}
}
}
}
}

Compare the general and user-specific information

The two important documents that users must sign are privacy_policy and terms_of_use. With the data from the above two endpoints, you can find out whether there is a new version of the document.
The version value in the general configuration shows the latest available version of the specific document. If there is no associated key for that version in the user-specific configuration, then the user has not yet given consent to the latest document.
An example:
  • Theprivacy_policy in the general configuration has 1.6.0 as a version value
  • In the user-specific configuration, there is a key named v1_3_0. There does not exist a key v1_6_0. The user thus has not consented yet to version 1.6.0 of the privacy policy.
For the documents that the user did not consent to yet, follow the following steps to record a consent:
  • Use the associated URL from the general configuration to show the document
  • Ask the user to explicitly accept the policy
  • Update the consent in FibriCheck Cloud with the endpoint below
Call the above endpoint with the following body:
{
"data": {
"documents": {
"privacy_policy": {
"v1_6_0": {
"timestamp": "2023-03-22T08:43:48+0000"
}
}
}
}
}
​