Authentication modes
Please note that the Informed Consumer documentation is publicly viewable, but the Informed Auto documentation requires a username and password to access. If you would like access to the Informed Auto documentation, please contact your sales rep or reach out to support@informed.iq.
Inbound to Informed
Informed offers two methods of inbound authentication: Basic Auth and Oauth 2.0.
Basic Auth
Your company will receive an HTTP Basic Auth username and password upon executing a Master Services Agreement (MSA) with Informed.
These Basic Auth credentials should be used for all your API calls to the Informed endpoints.
All API requests must have an Authorization header with a valid authentication token in order to be successful. The Authorization header format will be Authorization: Basic <token>. The token is obtained by base64 encoding the username and password as described by the HTTP Basic Auth protocol.
Any requests made without a valid header will receive a 401 Unauthorized response.
Oauth 2.0
Token request
Your company will receive a client ID and client secret upon executing a Master Services Agreement (MSA) with Informed.
To begin the authorization process, you must first use your client ID and client secret to obtain a JWT Access Token.
The table below shows the URL's for obtaining access tokens for use with the Informed API in the different environments:
| Environment | Base URL |
|---|---|
| Staging: | https://api.staging.informediq-infra.com/token |
| Production: | https://api.informediq.com/token |
When requesting the token, the Authorization header contains the Basic prefix, followed by the base64-encoded string of your_client_id:your_client_secret.
POST /token HTTP/1.1
Host: api.staging.informediq-infra.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
grant_type=client_credentials
Below is a sample python code snippet to create such a token request:
import base64
import requests
token_url = "https://api.staging.informediq-infra.com/token"
client_id = "your_client_id"
client_secret = "your_client_secret"
# Encode client_id and client_secret using base64
credentials = f"{client_id}:{client_secret}"
encoded_credentials = base64.b64encode(credentials.encode()).decode()
headers = {
"Authorization": f"Basic {encoded_credentials}"
}
request_body = {
"grant_type": "client_credentials"
}
response = requests.post(token_url, data=request_body, headers=headers)
Response to token request
If the request for an access token is valid, the authorization server will generate an access token and return it to you in the synchronous response along with some additional properties about the authorization.
The response will contain the following properties:
access_token- The JWT access token string as issued by the authorization server.token_type- The type of token, typically just the stringBearer.expires_in- If the access token expires, this value will indicate the remaining time in seconds until expiration.
For example, a successful token response may look like the following:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600
}
Each generated token will expire in 3600 seconds (one hour), at which point you will need to generate a new token if you wish to continue sending API requests to Informed.
Making API calls with the token
All API requests must have an Authorization header with a valid access token in order to be successful. Use the response values from the token request to make up the Authorization header.
The Authorization header format will be Authorization: Bearer <access_token>.
You can also think of this programmatically as Authorization: <token_type> <access_token>
You will receive a successful 200 response if the token is valid. Any requests made without a valid header will receive a 401 Unauthorized response.
Token expiration
When an access token expires, the server will return a synchronous response with a 401 Unauthorized status code. The header may also contain additional information about the error, such as the error attribute with a value of invalid_token to indicate that the token has expired or is otherwise invalid.
Simply repeat the process above to request a new access token when you receive a 401 Unauthorized status code.
Outbound to you
Informed supports two methods of authentication for the outbound callback responses: Basic Auth and Oauth 2.0.
Basic Auth
When Informed sends callback responses to your endpoint, Informed can support Basic Auth authentication established on your endpoint. You will need to supply the credentials (username and password) up front during your initial account configuration.
Oauth 2.0
Alternatively, Informed can support Oauth authentication for the callback responses to your endpoint. You will need to supply the necessary information, such as:
- grant type
- client ID
- client secret
- token URL
Informed is prepared out of the box to support a grant type of client_credentials.
If you have a different grant_type or a more complex Oauth configuration, please reach out to the Informed Professional Services team for support and determination of feasibility.
mTLS
The Informed platform uses a modern cloud architecture which does not explicitly lend itself to static IP blocks. We have implemented mTLS for our outbound callback responses to add an additional layer of verification for knowing that the response is coming from Informed. This setup is quite common among modern SaaS platforms.
If you desire to use the mTLS configuration, please contact your Customer Success rep.
IP whitelisting
The outbound asynchronous callback responses to the registered webhook endpoints come from the IP addresses listed below (by environment). If you desire to enable IP whitelisting on your end, please use the IP addresses shown below.
| Staging | Production |
|---|---|
34.218.130.10535.163.215.1844.242.70.77 | 52.24.16.9252.26.152.7952.88.80.35 |