The token end point is: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token
Client ID: JWTClientCredentials
Issuer: JWTClientCredentials
Audience: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token
Scope: system/*.read or system/*.*
Signing private key:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwrF3meoSKUq1Qcxh7CZg20koes44qou146J2b9G2Mo0HtEnC kDI3w+BhDUzXK6cGVKAyjyqUCYv4JFkBxGj9w6Da6i37CTyz5Q6IZ49bNDfTp6bU xhYRaBZzaZLlepFAWMhgOA0PTu6G+m5XyrCBR2CqnRxMu43hnfIMc3xW6hjgaeJU bBCG/JrwztD3h82FLvlfR2k0ZW43PYoqT4qVSsF6T3tU3Im6ckCOTlNV9aWvEx2Y eBrgGx5Mr64fKCSUo3euAW4XxCR4pbtkt8vtOriGvDGkgMOdpT12ruygxQdlHlS/ jbqHhx435u24hOcmr38dzgXcN7Ib7rSKtQ2O4wIDAQABAoIBACke9pXpnGBgSRxW oLASAw8NyqD1gX5z97zWiZFgh8zxgJkRoyh1ktWqRJVcj23G301scIFQiufhSk3T Bs6HJmH1TYd8orL2wUA165WD7819pRSZ5gLYkmCbrVC1GAblOuQFnlz4VS1kr9mh CKXk1clPn3mDiqlqdCa6Aus5bdoPfHkxhyeJbBFo2HegFdsmcrrgZa1EldYYArTu DDU2N+zBpzVDpsoy3HPXp6Pjo1w3LSsQKF9Ny2XltnHdGGe/b+Pyh+3b9GhZ6Seb yxn5m0sBb4ncMFZDeYDj4hK2hFehghPazWT+NWsmukOIt6kfM0POxFPnOJXW9mez zyEezpECgYEA7/Lg2fLhkez5iak/q7DTgsY67VbipnhUwIk5eV0uYHJh/w6pg/uo ViRJ7HVF8ush77PPOv6gionIAzdsadsijG2KrNBIqxnlNutkRhTFrduiRFTN/uL8 4RkXOxqyzhUCltErT5B2/OGKW+T/rGYzkVt6I9RfIYc33wMCmGKJYJ8CgYEAz7eW nHJK9xR/AWsrn5jBdKSumoXFV1Fqh0uDAxNiI/9LBvruhK8jCPdL5rFNdyptFbMs H7aLHT1HHX9w5qpVctxnqXvwmXPxCM+XZKk5tm1jXwJgryas9abK7SbNRzMlqEnj /HoSVrnrM3HEHeof17Rf93KTheL5xWW3qhpU1z0CgYEA7XHGakb8SyBbK4vNkwQv ukiZxYXmUd/f1ou00VGRdCWcrf5/ZzkgsuXENXczmhhug7rGxlV03sNLp0swQGx2 espnoW2Xi6HbfoZfuy4RFGO05rOZCbLrlYDzySw5Zs/JuR8SIfEOnl4+QYOSMrMM Mrp4Wn5tCUu60Tg0WEGiOncCgYEAk6cTHp53/27IYT/HQKmbSskNfLX+c3ViXk4l EPikWKZOtOWGyzablvIDODdss3qrFDPK97gQ53X5qVQ/8xe9qepWnbmGa+5otjSq j1ljtvPHIXBVPewmInCv6ygb37LR3/C2aXB0vMVoFaeXGxSkEfccCI+fohqYJeOK TRZunJkCgYAxIGFRbutiaj6UfhcnlQqDweINVAqdAIxt8nM4vJdtVoIzs8jZdQap yRutayhUvBV2gp/mIXts2fjVZNP6OQbMyMxqJhR4mU+t3byZ7btrL35Lt9aaLg0d JM1+//zpCVq1zc63j+VQ8Wt/psRwAuUoWk/b1AbkeKIYRVFy/H/9MQ== -----END RSA PRIVATE KEY-----or you can download the certificate, it has password
jwt.careevolution.com.
Corresponding public certificate (to check if the signature is valid):
-----BEGIN CERTIFICATE----- MIIC9TCCAd2gAwIBAgIJAJVDz7qx3iFnMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMTFWp3dC5jYXJlZXZvbHV0aW9uLmNvbTAeFw0yMDAxMDkyMTMxMjRaFw0yNTA3 MDEyMTMxMjRaMCAxHjAcBgNVBAMTFWp3dC5jYXJlZXZvbHV0aW9uLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKxd5nqEilKtUHMYewmYNtJKHrO OKqLteOidm/RtjKNB7RJwpAyN8PgYQ1M1yunBlSgMo8qlAmL+CRZAcRo/cOg2uot +wk8s+UOiGePWzQ306em1MYWEWgWc2mS5XqRQFjIYDgND07uhvpuV8qwgUdgqp0c TLuN4Z3yDHN8VuoY4GniVGwQhvya8M7Q94fNhS75X0dpNGVuNz2KKk+KlUrBek97 VNyJunJAjk5TVfWlrxMdmHga4BseTK+uHygklKN3rgFuF8QkeKW7ZLfL7Tq4hrwx pIDDnaU9dq7soMUHZR5Uv426h4ceN+btuITnJq9/Hc4F3DeyG+60irUNjuMCAwEA AaMyMDAwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYB BQUHAwIwDQYJKoZIhvcNAQELBQADggEBABfhf1OUsYlFuQ3fAVjkneHqnVvnUGdM 9Pm+k3aUMJ6qBHBrghoDyEjzBXR+YQSp6VeQUfbWhOPOleMdFmON2d+BRVXoZgoG JqVs32sS8jav0IH8oi9t+qZRXhCiLs0xNOhn/FdKqnxMfcrRq6knCw7b/WSsoHCS UoJ+GClRebRz4pTEJKR4wyxyCZsIMIOUlYcYG51kUDEAhxVKJHeYUawHjAFsiqFI m2J+PA1/XQaI9VXNNv+/WiHPIeMsyTff7kKHc/vvQ/LH66z80Oe5VY8kGt0rq6Jh IK8a/MmOxqlxuBIwwVwEtL9u/ThAywCHrlfFQ5fO1BevlhiAw+h33XY= -----END CERTIFICATE-----
The JWT must be signed using the RS384 or the RS256 algorithm (the specifications prescribe RS384, but we support also RS256)
The key identifier (kid) is 91DFD4A1BD6E7A807289415941A892F2D3DDB68E, the X.509 Certificate thumbprint (x5t) is kd_Uob1ueoByiUFZQaiS8tPdto4, but they are both optional.
JWT header example:
{
"typ": "JWT",
"alg": "RS384"
}
or
{
"typ": "JWT",
"alg": "RS384",
"kid": "91DFD4A1BD6E7A807289415941A892F2D3DDB68E"
}
or
{
"typ": "JWT",
"alg": "RS384",
"x5t": "kd_Uob1ueoByiUFZQaiS8tPdto4"
}
JWT body example:
{
"iss": "JWTClientCredentials",
"sub": "JWTClientCredentials",
"aud": "https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token",
"jti": "dffcd1b7-7633-4324-9e65-4729ef893afa",
"exp": 1637709663
}
Please note that the example above is valid only for the pre-configured sandbox configuration, in a production environment you will be providing either
the certificate (public key) or the JWKS to use, you'll receive the corresponding client id, and you'll have to use those when requesting the access token. kid
and x5t remain optional, if specified they must match the provided certificate (use x5t) or one of the keys in the JWKS (use kid).