Authentication

Overview

Efimis APIs use OAuth 2.0 for secure authentication and authorization. Applications must use the OAuth2 client credential flow to access APIs.

OAuth 2.0 Flows

Client Credentials Flow (Machine-to-Machine)

Use this flow for backend services or applications without user interaction.

Request an Access Token

curl -X POST "https://id.practiceevolve.net/pevolveextprod.onmicrosoft.com/b2c_1a_idp_aad_multi/oauth2/v2.0/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=https://pevolveextprod.onmicrosoft.com/evolve-api/.default"

Response

{
  "access_token": "eyJhbGciOiJIUzI1...",
  "token_type": "Bearer",
  "not_before": 1749554835,
  "expires_in": 43200,
  "expires_on": 1749598035,
  "resource": "[RESOURCE ID]"
}

Authorization Code Flow (User Authentication)

Use this flow when a user needs to authenticate and grant access to their data.

ℹ️

This flow is not currently supported just yet.

Making Authenticated Requests

Include the access_token in the Authorization header for all API requests.

GET /v1/resources HTTP/1.1
Host: api.alpha.lfms.dev/[tenant]
Authorization: Bearer OAUTH_ACCESS_TOKEN

Security Best Practices

Store credentials securely.
Use HTTPS.
Implement least privilege.

For sandbox access and developer keys, contact connections@efimis.com.

About