Security
Authentication
Requests made to the Partners API must be authenticated. Honeybee Health uses the OAuth 2.0 protocol to provide secure access to our APIs. OAuth 2.0 is a standard for authorization and is used to grant access to protected resources in your account.
The OAuth 2.0 specification defines different mechanisms, called "grant types," for distributing access tokens for apps. The most common grant type used for application to application communiction defined by OAuth 2.0 is called "client credentials." In this grant type, OAuth access tokens are generated in exchange for client credentials, which are client_id/client_secret pairs.
Using your client_id and client_secret you can obtain an access token for your account. This access token is then used to authenticate your requests to the API.
Basic steps
Visit the Partner Portal to obtain a client ID and client secret.
Obtain an access token from the OAuth 2.0 endpoint using your client ID and client secret.
Before your application can access private data, it must obtain an access token that grants access to that API. A single access token can grant varying degrees of access to multiple APIs. A token is a string representing an authorization issued to the client.
Access Token Request
POST /oauth/token HTTP/1.1 Host: partners.honeybeehealth.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 grant_type=client_credentials&client_id=PAE_tecHj8ib_0F7cXuq55emEdasKPJcgV3PE3Gd56Y&client_secret=jXA3jNpRnGIfE7xXONDgH8chCJZgLi8bGOIJYuVvKe0
Access Token Response
HTTP/1.1 200 OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "access_token": "xxxxxxxxxxxxxxx", "token_type": "Bearer", "expires_in": 43200, "created_at": 1592972935 }
Send the access token to an API endpoint. The access token should be sent as a Bearer token in the Authorization header of the request. The API will validate the token and grant or deny access to the resource.
Access tokens have a limited lifetime specified by the
expires_in
field. If your application needs access to a resource beyond the lifetime of a single access token, it can simple request another access token.
Webhook Security
Webhooks will include an X-Honeybee-Signature header that can be used to validate that the request was in fact made by Honeybee Health.
The signature is constructed by concatenating the request method, i.e. POST, with the url of the webhook and the url encoded payload. We will then sign this string with HMAC-SHA1 using your client_secret and finally base64 encode the result with a trailing newline character.
Perform the same steps on the receiving end to validate the signature.
A pseudo-code representation of this looks like:
base = escape(request.method + request.url + string(request.body)) key = sha256_hex_digest(your_client_secret) X-Honeybee-Signature = base64_encode(hmac_sha1_digest(key, base) + "\n")
Examples for generating sha256_hex_digest
in common languages:
Ruby
Digest::SHA256.hexdigest('your_client_secret')
Node
const crypto = require('crypto') crypto.createHash('sha256').update('your_client_secret').digest('hex')
Python
import hashlib hashlib.sha256('your_client_secret'.encode('utf-8')).hexdigest()
Go
package main import ( "crypto/sha256" "encoding/hex" "fmt" ) func main() { hash := sha256.New() hash.Write([]byte("your_client_secret")) sha256_hash := hex.EncodeToString(hash.Sum(nil)) }