Getting Started

Request Application Credentials

Application credentials allow applications to gain access to our APIs.  Before you can make requests to one of our APIs, you will need application credentials for your application.  We support three different types of application credentials:  API Keys, Username/Password/Profile credentials and OAuth 2.0 credentials.  A protocol for each type of application credential is used for authentication and authorization in order to secure the information in our systems.  Authentication verifies who you are.  Authorization decides if you are allowed access to a resource.  Each method that we use for access to our APIS is briefly described below.



An API Key is a secret token used as a unique identifier.  The key identifies the application making the call to the API as well as rights and access to the API.  It is a unique string transmitted as a part of the request.   Based on the API Key, the API can then identify the application, log the request and send the appropriate response.


Username-Password Authentication

The Username and Password method of authentication generates an authentication token.  The authentication token is an identifier.  To use this method of authentication, a session token must also be generated using the customer's profile.  Subsequent requests can use both the authentication token and the session token to gain access to the API.


OAuth 2.0

OAuth 2.0 uses access tokens, similar to API Keys, that are generated by an external server to grant your client apps limited access to your resources.  The client is authorized by the access token.  The access token has a scope which defines the resources that the token grants access to.

Before using OAuth 2.0 with your application, the protocol requires you to register your App with the API.  Registering your App will provide you with your Client ID and Secret to be used later in the process.

OAuth 2.0 describes a number of grants (methods) for a client application to acquire the access token needed.  After you are registered, it must be decided which OAuth 2.0 grant type you are going to use in order to receive the access token.  The grant type used depends on the use case.  The most common OAuth 2.0 grant types are listed below.

  • Authorization Code - Used for Apps running on a web server, browser based and mobile apps.
  • Password - Used for logging in with a username and password.
  • Client Credentials - Used for application access.
  • Implicit - Originally recommended for clients without a secret, but has been superseded by the Authorization Code grant type with no secret.

The authorization flow, or process, for obtaining the access token differs depending on the grant type.  Regardless of the grant type, the result of the OAuth 2.0 authorization flow is an access token.  After you have obtained the access token, you can make requests to the API.  More information on OAuth 2.0 can be found in the OAuth 2.0 specification.


How Do I Request Application Credentials?

Details on how to request API specific application credentials are available below in the overview for each API.


EBSCOhost Entitlement API


MEDSAPI Dynamic Health


MEDSAPI Consumer Health