Skip to main content

Rest APIs overview

Authentication

All requests to QuickCase's APIs must be authenticated or they will be rejected with a 401 response code.

QuickCase supports 2 types of authenticated requests.

User authentication

User authentication uses OpenID Connect and is required for requests executed on behalf of an authenticated QuickCase user.

The request must have a valid OAuth2 access token passed in an Authorization header with type Bearer:

Authorization: Bearer <access-token>

Furthermore, the access token must have the scope openid in order for the user infos to be retrieved from the Authorisation Server.

QuickCase will authenticate the request as such:

  1. Valid access token (existence, signature, validity)
  2. Check presence of openid scope
  3. Fetch user info from Authorisation Server using the access token

The user info will then be used to authorise the request against QuickCase's security model.

Client authentication

Client authentication uses OAuth2 Client Credentials grant and is required for requests which are not in the context of a specific user, such as scheduled operations or automated processes.

The request must have a valid OAuth2 access token passed in an Authorization header with type Bearer:

Authorization: Bearer <access-token>
caution

The access must not have the scope openid otherwise it will be incorrectly identified as user authentication.

QuickCase will authenticate the request as such:

  1. Valid access token (existence, signature, validity)
  2. Check absence of openid scope

With client authentication, QuickCase will use the access token scopes as the roles used to authorise the request against QuickCase's security model.

Versioning

QuickCase's APIs are versioned using vendor-specific MIME types. To protect integrations from breaking changes in APIs, an explicitly versioned MIME type should always be specified via the Accept header, for example:

Accept: application/vnd.app.quickcase.store.data.api.case.v2+json
API Release cycle

Breaking changes to the APIs will only be introduced as part of new major version of QuickCase and under a new API version. Previous API versions will be preserved and flagged as deprecated for at least 1 major version before being removed.