Authentication

Most API requests will need to authenticate against the Isometric API in two ways simultaneously:

• By passing a client secret in the X-Client-Secret header to identify the system integrating with the API.
• By passing an access token in the Authorization header to authenticate as a specific organization, in order to gain access to its private data.

​

Client Authentication

Every API call to Isometric must include a client secret identifying the client application.

This client secret is tied to a particular environment - sandbox or production. A client secret can be obtained by contacting Isometric directly. Client secrets should be treated as highly sensitive, kept secret and stored accordingly.

The client secret should be submitted on every API request via the X-Client-Secret header. For example X-Client-Secret: uPrO...wxAh.

​

Organization Authentication

In addition, a large number of API requests will require an access token in order for the caller to identify themselves and act as a specific Organization.

To authenticate as an Organization you will need to submit a JWT bearer access token via the Authorization header. For example: Authorization: Bearer eyJh...sw5c. This access token can be obtained by contacting Isometric directly. If you are going to be acting on behalf of other Organizations, they will need to request the access token from us and pass them securely to you. Access token should be treated as highly sensitive, kept secret and stored accordingly.

Access tokens are scoped to a single Organization - so if you are acting on behalf of multiple particular organizations, you will need to submit the appropriate access token on each request.

Access tokens will expire of 1 year from generation. When you are approaching expiry, a new token will need to be generated and Isometric will guide you through rotating your current access token which will cease to work post-expiry.

If for whatever reason you suspect your access token is compromised, notify Isometric as soon as possible and we will provide a new access token and invalidate the old one.