Authentication
API keys for firm usage and OAuth for third-party integrations
The API uses Bearer Authentication via HTTP headers, secured over TLS:
curl -H 'Authorization: Bearer <token>' ...The same Authorization: Bearer <token> header is used for both authentication methods below — the API determines the type automatically.
Choosing an authentication method
| If you're... | Use this |
|---|---|
| A firm calling the API directly — internal scripts or integrations between Firmcheck and your CRM, practice management software, or other tools | API key |
| A third-party application acting on behalf of one of our users — partner products, marketplace integrations, or workflow tools like Zapier | OAuth 2.0 |
API keys
API keys are generated through the Firmcheck application.
Go to "Firm settings > API services".
When generating the key, you can give it a name and an expiration date.
Keys can also be manually revoked.
OAuth 2.0
OAuth is for third-party applications acting on behalf of a Firmcheck user.
Setting up an OAuth integration? Please contact us to register your application. We'll provide your client ID and add your callback URL(s) to the allowlist before you can complete the flow.
The flow follows the standard OAuth 2.0 Authorization Code grant with PKCE (RFC 7636); access tokens are issued as OpenID Connect JWTs.
| Authorization URL | https://auth.firmcheck.com/oauth2/authorize |
| Token URL | https://auth.firmcheck.com/oauth2/token |
| Required scope | openid https://api.firmcheck.com/api:full |
| PKCE method | S256 |
| Client ID | provided during onboarding |
| Callback URL | registered during onboarding |
Once a user has authorised your application, the resulting access token is sent as a bearer token in the same Authorization header used for API keys:
curl -H 'Authorization: Bearer <access_token>' ...Updated 19 days ago