Authentication service

The authentication service takes care of authenticating clients within the MEDrecord platform and allows other services to check the identity of a client making a request.

User authentication

When an user is successfully identified by the authentication service it will provide the user with a token. This token is a digitally signed JSON Web Tokens (JWT) which must be passed with every request made to a service within the MEDrecord platform.

Obtaining a JWT

JWTs for MedRecord are issued by the AUTH service and can be obtained after successfull authentication.

A JWT can be obtained though one of the following methods:

  • Login with username/password
  • Login using external identity providers (such as "Login with Google")
  • Using a refresh token

Passing JWTs

When a valid JWT is obtained, it needs to be passed with every API call to the MedRecord services. The JWT can be passed using:

  • using the query argument authToken
  • using the Authentication: Bearer header

Decoding JWTs

A JWT contains information about the user which can be decoded freely by anyone who has access to the JWT. The JWT can also be used by third party services to validate the identity of the caller by validating its signature using the public key provided by the AUTH service.

The JWT currently contains the following information:

  • sub (mvUid)
  • ehrId
  • role (string list)
  • status


The development servers have a special backdoor account enabled for quickly testing APIs. To use this backdoor account the special JWT token helloletmeinplease must be used. When the service sees this special token, the request is authenticated using and ADMIN account.

SSL Client Certificate authentication

Trusted third party services which act on behalf of many users must use SSL Client Certificates to authenticate themselves. In this mode, the third party serviced is responsible for authenticating the user and enforcing any access restrictions.