Hello claims uses OAuth to authenticate users, integrators and to provide granular permissions via integration pathways so third party vendors can connect and interact with our API's. In order to use our API's, you will require a client identifier and a client secret.
The following information assumes that you already have obtained a client identifier and secret, and assumes you are using the staging environment.
Limitations
Because you are required to provide your client_secret to obtain a token, this flow is only suitable for server to server integrations.
As you are impersonating a user with full access, you will be able to perform any action that a full privilege user could perform. This includes creating, updating and deleting resources. Granular permissions are currently not available for integrations utilising this flow.
As there is no user context, you will not be able to access any resources that are restricted to a particular user. You will also be unable to use the refresh_token flow to obtain a new access token.
Obtaining a token
In order to utilise our API's, you can directly authenticate your application using the client credentials flow. By utilising this flow, you will effectively impersonate a user with full permissions. This is useful for integrations that require full access to the API's, such as a data migration.
Once you have obtained a token, you can make API calls by providing a valid access token with each request.
To obtain a token, you will need to make a POST request to the following endpoint:
https://uat-login.helloclaims.com.au/login/tokenThe request body will need to contain the grant type client_credentials, client_id, client_secret and redirect_uri.
Your client secret should be kept private. The client secret should never be shared or exposed in client side code.
| Parameter | Description |
|---|---|
| grant_type | client_credentials |
| client_id | Your application's client id |
| client_secret | Your application's secret |
| redirect_uri | The same redirect URI that was used when creating your application |
By default, any applications created without a valid redirect uri will have it set to: http://localhost:9999
POST https://uat-login.helloclaims.com.au/login/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=xxxxxx
&client_secret=xxxxxx
&redirect_uri=https://myapp.com/redirectThe response will be a JSON object containing the following properties:
| Parameter | Description |
|---|---|
| access_token | The short lived token used to call the API. |
| expires_in | The amount of seconds until the access token expires |
| token_type | The type of authentication header required to use the token. Typically bearer |
| .expires | The date and time the token will expire, conforming to ISO 8601 |
| .issued | The date the token was issued, conforming to ISO 8601 |
See below for an example response:
{
"access_token": "xxxxxxxxxxx",
"token_type": "bearer",
"expires_in": 120,
".expires": "2023-05-24T03:19:59.0000000+00:00",
".issued": "2023-05-24T03:17:59.0000000+00:00"
}You are unable to refresh tokens retrieved using the client credentials flow.
Token expiry
All tokens received have an associated expiry time.
| Token type | Expiry |
|---|---|
| access_token | 30 minutes |
The above is indicative only and subject to change. Please refer to the expires_in parameter in the response for the actual expiry time.