Participant Access Tokens

To guard against unauthorized use, MyDataHelps requires an access token. When using one of the MyDataHelps SDKs within MyDataHelps (e.g., in a Web View Step or a MyDataHelps App), the access token is managed for you; you don’t need to do anything. However, when using a MyDataHelps Embeddable to access the system outside of MyDataHelps, you will need to manage the participant’s access token yourself.

Participant Access Tokens vs Service Access Tokens

RKStudio has two different types of access tokens:

  • Service access tokens are associated with a service account. Server-to-server applications use them with the REST API to access project resources from an administration standpoint.
  • Participant access tokens are associated with a single participant. Client applications use them with the SDK to access data for a single participant.

Since MyDataHelps Apps, Embeddables, and Web View steps always take place within the context of a particular user, a participant-specific token limits access to just that participant’s data.

Obtaining a Participant Access Token

To obtain a participant access token, your app must first obtain a service token. See REST API Authentication for details. This lets the system verify that your app is authorized to request tokens on a participant’s behalf.

Once you have a service token, make a second request to the same token endpoint:

POST https://rkstudio.careevolution.com/inv/identityserver/connect/token

Include the following fields:

Field Meaning Value
scope The scope of access being requested. api
grant_type The type of access being requested. delegated_participant
participant_id The participant’s globally-unique identifier. a participant identifier
client_id Identifies the requesting application. RKStudio.DelegatedParticipant
client_secret A code associated with the requesting application. secret
token The service token. your service token

Default values are used for client ID and client secret because the service token identifies your application and acts as a secret key.

If the token request is successful, the server’s response will include the following data:

Field Meaning
access_token The alphanumeric access token.
expires_in When the token expires (in seconds).
token_type Bearer