Askara API uses OAuth2 to secure communications between third-party applications and Askara.
OAuth2 provides secure, delegated access to Askara resources without sharing user credentials. The framework supports multiple authentication flows depending on your application type.
Recommended for server-side applications and cloud-based software. This flow provides the highest level of security as the client secret never leaves your server.
Use cases:
- Web applications
- Cloud-based software
- Server-to-server integrations
→ Authorization Code Flow Guide
Used to obtain new access tokens without re-authenticating users. Access tokens expire after 1 hour for security purposes.
Designed for client-server applications or offline software where secure storage of credentials is challenging.
Use cases:
- Desktop applications
- Offline medical practice management software
- Devices with limited input capabilities
Before integrating OAuth2:
- Client Credentials: Contact us to obtain your
client_idandclient_secret - Redirect URI: Provide the callback URL for your application
- Scopes: Determine which API scopes your application requires
- Never expose client secrets in client-side code or version control
- Validate state parameters to prevent CSRF attacks
- Store refresh tokens securely in encrypted database storage
- Implement token rotation by updating refresh tokens after each use
- Use HTTPS only for all OAuth2 endpoints
- Lifetime: 1 hour
- Type: JWT (JSON Web Token)
- Usage: Include in API requests via
Authorization: Bearer ACCESS_TOKENheader - Content: Decode at jwt.io to inspect claims
- Lifetime: 30 days
- Single-use: Each refresh generates a new token pair
- Storage: Securely store in your database
- Choose the appropriate flow for your application type
- Follow the specific flow guide for implementation details
- Test your integration in the staging environment
- Review the API documentation for available endpoints
For questions or to request client credentials, contact our team.