Requesting Access to HCP Identity APIs
Access to the Identity Service is requested via the HCP API Catalog. Use the following link to navigate to the Identity Service in the catalog:
HCP Data Catalog - Identity Service
Required Access Requests
Two separate access requests are required, one for each environment:
- Non-Prod
- Prod
Once your request is approved, you will receive the Client ID and Client Secret. These credentials are used to
authenticate via the /oauth2/token endpoint to obtain a JWT token.
Authentication Details
Scope
The required scope for authentication is:
https://api.uhg.com/.default
Credential Renewal
Credentials must be renewed periodically. Notifications will be sent as reminders when renewal is required.
Authentication Example
Request
Use the following curl command to authenticate and retrieve an access token:
curl --location 'https://api.uhg.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client-id>' \
--data-urlencode 'client_secret=<client-secret>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=https://api.uhg.com/.default'
Response
A successful authentication request will return a response similar to the following:
{
"access_token": "eyJraWQiOiJweFlGY2FXdTVLYVh6bWN1LUc5eUl0SlJIS1FWWlNUUEhWb...",
"expires_in": 3594,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "https://api.uhg.com/.default"
}
Token Management
The above authentication example must be performed to retrieve an access token for the Identity Service. Since the token expires every hour, it is essential to implement a mechanism to keep the token updated.
Caching Tokens
The CCG has developed a mechanism to:
- Automatically refresh the access token before it expires.
- Cache the token in memory to reduce the number of requests made to the Identity Service.
This ensures efficient and uninterrupted access to the Identity Service.