VeevaID provides single sign-on and digital identity across all Veeva clinical sponsor and partner applications. With VeevaID, clinical research sites can easily access systems across multiple sponsors and studies for increased efficiency and speed.
VeevaID is an identity provider that provides authentication using the OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE). The VeevaID API allows partners to authenticate users using their VeevaID credentials.
Users must first register for a VeevaID and then interact with your application.
The VeevaID API allows partners to integrate with VeevaID. By integrating with VeevaID, site personnel can log in to all Veeva partner applications with no additional username or password required.
Register your application with Veeva. To register, you must email productpartner@veeva.com with the information specified below.
Once provided, Veeva will provide you with a client_id
which you will use to make API calls.
In your registration request email, use the subject VeevaID Partner Program | Application Name and include the following information:
Name | Type | Description |
---|---|---|
app_name | Text (256) | Your Application Name, used for branding the VeevaID login screen. For example: |
app_png_logo_url | Text (1024) | The URL of your application logo in PNG format, for use on Veeva’s partners website. Max width: 300 px. |
app_short_description | Text (256) | A short description of your application for use on Veeva’s partners website. |
app_home_url | Text (1024) | The URL to send users to when they click your logo on Veeva’s partners website. |
oauth_redirect_urls | Text (1024) | Tells the authorization server where to send the user after they approve the request. This is where the user lands after clicking Quick entry with VeevaID. The redirect URL must be an exact match – regular expression schemes are not allowed. |
We’ll be using the Authorization Code Grant Flow, suitable for web applications running on the server-side, as well as with mobile and client-side applications (using the PKCE extension).
GET https://id.veeva.com/auth/authorize
Name | Description |
---|---|
Accept | application/json (default) or application/xml |
Name | Description |
---|---|
client_id | The unique identifier for your application which grants access to the VeevaID APIs; obtained once Veeva approves your registration request. |
response_type | Value must be code . This tells the VeevaID authorization server that the application is initiating OAuth’s Authorization Code Grant Flow. |
code_challenge | Hashed value of the code_verification with code challenge method. For more information, refer to OAuth’s PKCE extension documentation. |
code_challenge_method | Value must be S256 , indicating a Base64URL encoded SHA-256 hash will be applied on the code verifier. |
scope | Value must be vidauth . This value is defined by Veeva and indicates which permissions the application is requesting. |
redirect_uri | Application callback URL receiving the authorization code. Must be strictly matched with redirect_url registered in the application client. Query parameters are not allowed. |
state | A unique, randomly generated, opaque, and non-guessable String generated by your application and sent when starting this authentication request. Your application should then check that the same value is returned from the authorization server. This is critical to prevent cross-site request forgery attacks (CSRF). |
The URL should be constructed dynamically:
$ curl -X GET id.veevadev.com/auth/authorize?
client_id=”YOUR_APP_ID”
&response_type=code
&redirect_uri=https%3A%2F%2Fexample.org%2Fcallback
&scope=vidauth
&state=xcoiv98y2kd22vusuye3kch
&code_challenge=xxxxT8X2jffuTgXg8IVy5sAzjw-8C3a4RC1xGoaWCAY
&code_challenge_method=S256
After the user has authorized your application, you will receive a code
. The next step is to exchange that code for a user access token. This request is typically invoked from the server-side.
POST https://id.veeva.com/auth/token
Name | Description |
---|---|
Accept | application/json (default) or application/xml |
Name | Description |
---|---|
grant_type | Value must be authorization_code . |
code | The authorization code value received from the /authorize Authorization request. |
client_id | he unique identifier for your application which grants access to the VeevaID APIs; obtained once Veeva approves your registration request. |
redirect_uri | Must be the same redirect URL which was passed to the /authorize Authorization request. |
code_verifier | The code verifier for this PKCE request, which your application generated before the /authorization Authorization request. |
$ curl -X POST id.veeva.com/auth/token?
grant_type= "authorization_code"
&code= "xxxxpcdC3J68Q-MbSRLu18un5bnKOxhIETCz7inxPw8"
&redirect_uri= "https%3A%2F%2Fexample.org%2Fcallback"
&code_verifier= "xxxxE94-9n_bS_ygjh0mCj0neTeI-rK3rIguAFhDIsw"
&client_id= "YOUR_APP_ID"
{
"access_token":"XXxXFkS4tmvI_cEkn3Pm5JFylE7arbYWGbj0P3WwOaU",
"token_type":"Bearer",
"expires_in":1800
}
Once your application has a valid access token, you can introspect the user information.
GET id.veeva.com/auth/user_info
Name | Description |
---|---|
Accept | application/json (default) or application/xml |
$ curl GET -H "Authorization: Bearer xxxxng5AHN5E3yn4IptXFKP7xzVTtnrZq87l50t4blI"
https://id.veevadev.com/auth/user_info
{
"sub": "1437275311",
"primary_email": "bill.bokey@veepharm.com",
"language": "en",
"vuid": 1437275311,
"first_name": "Bill",
"last_name": "Bokey",
"phone_code": "33",
"phone_number": "6503043535",
"secondary_email": ""
}
The JSON response contains information about the user. For example, sub
(subject) is the user’s VeevaID.