Authentication overview

MyVaccination offers authentication mechanisms designed to secure access to its platform and underlying APIs, supporting the management of vaccination programs and digital health records. Given its focus on healthcare organizations, the authentication framework prioritizes data confidentiality and integrity, adhering to regulations such as GDPR (MyVaccination Help Center). The system is engineered to facilitate secure integrations with existing healthcare IT infrastructure, ensuring that only authorized entities can access or modify sensitive vaccination data.

The authentication process for MyVaccination primarily serves two scenarios:

  • User Authentication: For healthcare professionals accessing the MyVaccination platform directly through a web interface or dedicated application. This typically involves username/password combinations, often augmented with multi-factor authentication (MFA).
  • System-to-System Authentication: For programmatic access by integrated applications, such as electronic health record (EHR) systems, inventory management tools, or reporting platforms. This relies on API keys or OAuth 2.0 flows to establish trust and authorize data exchange without direct user intervention.

The choice of authentication method depends on the integration's nature, the level of access required, and the security posture of the integrating system. MyVaccination's approach to authentication is part of its broader security strategy, which includes data encryption, access controls, and regular security audits, as detailed in its help documentation.

Supported authentication methods

MyVaccination supports several authentication methods to accommodate various integration needs and security requirements. These methods are chosen to ensure both robust security and operational flexibility for healthcare providers and their IT systems.

API Key Authentication

API keys are unique identifiers used to authenticate a user, developer, or calling program to an API. When making requests to MyVaccination APIs, an API key is typically included in the request header or as a query parameter. This method is suitable for server-to-server integrations where a specific application needs consistent, programmatic access to MyVaccination resources. API keys offer a straightforward authentication mechanism, but their security relies heavily on secure storage and transmission practices (Google Maps API Key FAQ). MyVaccination documentation provides guidance on how to manage and rotate API keys effectively (MyVaccination Help Center).

OAuth 2.0

OAuth 2.0 is an authorization framework that enables an application to obtain limited access to a user's protected resources without exposing the user's credentials. Instead, the application obtains an access token, which is a credential representing the authorization granted by the user. This method is particularly relevant for MyVaccination when integrating with third-party applications that need to access user-specific data or perform actions on behalf of a user. OAuth 2.0 provides a more granular and secure way to manage permissions compared to API keys, especially in scenarios involving user delegation (OAuth 2.0 Specification).

MyVaccination's implementation of OAuth 2.0 supports standard flows such as the Authorization Code Grant, which is recommended for confidential clients (e.g., server-side applications) due to its enhanced security features. Implicit Grant and Client Credentials Grant may also be supported for specific use cases, with detailed guidance available through direct vendor engagement (MyVaccination Help Center).

Multi-Factor Authentication (MFA)

While not a standalone authentication method, MFA enhances the security of username/password and other credential-based authentications. MyVaccination strongly encourages and, in some configurations, mandates MFA for administrative and clinical users accessing the platform directly. MFA typically involves a combination of something the user knows (password), something the user has (a mobile device for a one-time code), and/or something the user is (biometrics). This significantly reduces the risk of unauthorized access even if primary credentials are compromised.

Summary of Authentication Methods

Method When to Use Security Level
API Key Authentication Server-to-server integrations, programmatic access for specific applications. Moderate to High (depends on secure key management).
OAuth 2.0 Third-party applications requiring delegated access to user resources; granular permission control. High (framework for secure delegated authorization).
Multi-Factor Authentication (MFA) Enhancing user login security for direct platform access. Very High (adds layers of verification).

Getting your credentials

Obtaining the necessary authentication credentials for MyVaccination integrations is a process managed through the MyVaccination administrative portal or via direct engagement with the MyVaccination support and integration teams. The specific steps vary depending on the type of credential required (API Key or OAuth 2.0 client credentials) and the nature of your organization's agreement with MyVaccination.

For API Keys:

  1. Access the Admin Portal: Authorized administrators within your organization will typically access the MyVaccination administrative portal.
  2. Navigate to API Settings: Within the portal, there will be a section dedicated to API or integration settings.
  3. Generate API Key: Follow the on-screen instructions to generate a new API key. It is crucial to note and securely store this key immediately, as it may only be displayed once for security reasons.
  4. Configure Permissions: Assign appropriate permissions and scopes to the API key to ensure it only has access to the necessary resources. Over-privileging API keys is a common security vulnerability.
  5. Key Rotation: Establish a regular schedule for rotating API keys to minimize the impact of a compromised key.

For OAuth 2.0 Client Credentials:

For integrations requiring OAuth 2.0, the process typically involves registering your application with MyVaccination as an OAuth client. This usually requires more detailed setup and may involve direct consultation with MyVaccination's integration specialists (MyVaccination Help Center).

  1. Application Registration: Provide details about your integrating application, including its name, redirect URIs, and intended use cases. This may occur within a dedicated developer portal or through direct communication with MyVaccination.
  2. Obtain Client ID and Client Secret: Upon successful registration, your application will be issued a Client ID and a Client Secret. The Client ID is public, but the Client Secret must be kept confidential and secure, similar to a password.
  3. Define Scopes: Specify the data access permissions (scopes) your application requires. MyVaccination will review these to ensure they align with the principle of least privilege.
  4. Implement OAuth Flow: Integrate the chosen OAuth 2.0 flow (e.g., Authorization Code Grant) into your application, using the provided Client ID, Client Secret, and redirect URIs.

For all credential types, MyVaccination's official documentation and support channels are the primary resources for detailed, step-by-step guidance on credential acquisition and management.

Authenticated request example

While the exact API endpoints and request structures for MyVaccination are specific to each integration and typically provided during direct vendor engagement, we can illustrate a conceptual authenticated request using a common method like an API Key in a Bearer token header. This example assumes you have obtained an API key for your integration.

Scenario: Retrieving a patient's vaccination record using an API key.

Request Details:

  • Method: GET
  • Endpoint: https://api.myvaccination.org.uk/v1/patients/{patientId}/vaccinations (conceptual)
  • Headers:
    • Authorization: Bearer YOUR_API_KEY
    • Accept: application/json
curl -X GET \
  'https://api.myvaccination.org.uk/v1/patients/PATIENT12345/vaccinations' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_API_KEY'

In this example:

  • YOUR_API_KEY would be replaced with the actual API key provided to your organization by MyVaccination.
  • The Authorization: Bearer header is a standard way to transmit API keys or access tokens, indicating that the key/token grants bearer access to the resource.
  • The Accept: application/json header indicates that the client prefers a JSON response.

For OAuth 2.0, after successfully completing an authorization flow and obtaining an access token, the request structure would be very similar, with YOUR_API_KEY replaced by the OAuth 2.0 access token:

curl -X GET \
  'https://api.myvaccination.org.uk/v1/patients/PATIENT12345/vaccinations' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_OAUTH_ACCESS_TOKEN'

Always refer to the specific API documentation and integration guides provided by MyVaccination for the precise format and required headers for your authenticated requests (MyVaccination Help Center).

Security best practices

Adhering to security best practices is paramount when integrating with MyVaccination, especially given the sensitive nature of vaccination and health data. Implementing these practices helps protect against unauthorized access, data breaches, and compliance violations.

Credential Management

  • Secure Storage: Never hardcode API keys or client secrets directly into your application code. Use environment variables, secure configuration files, or dedicated secret management services (e.g., AWS Secrets Manager, Azure Key Vault) (AWS Secrets Manager documentation).
  • Least Privilege: Grant credentials (API keys, OAuth tokens) only the minimum necessary permissions required for their intended function. Periodically review and adjust these permissions.
  • Regular Rotation: Implement a policy for regularly rotating API keys and OAuth client secrets. This limits the window of opportunity for attackers if a credential is compromised.
  • Audit Trails: Maintain detailed logs of when and by whom credentials are created, modified, or revoked.

Secure Communication

  • HTTPS/TLS: Always ensure all communication with MyVaccination APIs occurs over HTTPS (TLS). This encrypts data in transit, protecting it from eavesdropping and tampering. MyVaccination APIs enforce HTTPS.
  • Certificate Validation: Implement proper SSL/TLS certificate validation in your client applications to prevent man-in-the-middle attacks.

Application Security

  • Input Validation: Validate all data input to your application before sending it to MyVaccination APIs to prevent injection attacks and ensure data integrity.
  • Error Handling: Implement robust error handling that avoids revealing sensitive information in error messages.
  • Logging and Monitoring: Log API requests and responses (excluding sensitive data) and monitor for unusual activity, failed authentication attempts, or excessive data access patterns.
  • Dependency Management: Keep all libraries and frameworks used in your integration up to date to patch known vulnerabilities.

Compliance and Privacy

  • GDPR Adherence: Understand and comply with GDPR principles regarding data processing, storage, and subject rights, as MyVaccination itself is GDPR compliant (MyVaccination Help Center).
  • Data Minimization: Only request and store the minimum amount of patient data necessary for your application's function.
  • Consent Management: Ensure that appropriate consent mechanisms are in place for processing personal health information, where applicable.

By diligently applying these security best practices, organizations can significantly enhance the security posture of their MyVaccination integrations, safeguarding sensitive health data and maintaining trust.