Cryos API documentation - Security

At Cryos, we place a strong emphasis on security. We expose sensitive data that we do not want anyone to access. Additionally, we want to ensure that if anything happens, we can track each incoming request. To maximize the security of our APIs, various security policies have been configured. While we won't disclose the specifics of how these are set up for Cryos, we can provide a brief explanation of what they are as well as their core functionality.

Rate limiting

As mentioned in the Rate Limiting section - our APIs have a dedicated rate limit of 24 request per 60 seconds per key - meaning that each user can request 24 times per minute. When this limit is reached, the requester will be blocked and have to wait for 60 seconds. Rate limiting in Azure API Management serves as a way to control the amount of incoming traffic to an API to ensure reliable performance, prevent abuse, and protect backend systems from being overwhelmed. It prevents a single client from monopolizing the API’s resources at the expense of others - We have a specific request quota per day, which should be sufficient for now. The more users using our APIs the bigger the quota, we will make sure it is updated.

Disclaimer: If you are experiencing any problems with performance, or slow response, please do not hesitate to reach out to us.

Correlation-ID

For better assistance with any issues you encounter while requesting data, we have added a correlation ID at the time of the request. By using the correlation ID, we can track each request made by the user. These requests will, of course, not exist forever, so it is very important that you save the correlation ID when the request that gives the error is made.

Blocking access to the platform

If we determine that you are misusing the APIs by spamming them, or if you are trying to connect without a subscription key, we have the rights to block your IP address without any notice. We will accept users trying to request data without a proper user with a subscription key. We will contact you if we observe any misuse of the APIs. If, as a user, you are non-responsive, we will pause the account.

Access

For the delivery note API - you will need a separate API key / clinic Key from the clinic in order to request data. This is applicable for APIs that deal with highly sensitive data. If the other APIs are being expanded with more sensitive data than today, we will implement a required field for the clinic key for those as well. In order to get a clinic key, please contact us at [email protected] and inform which clinic you wish to retrieve package lists from (deliveryNote API) - then we will generate a clinic key / api key for you. Please note that sharing this key between multiple persons is strictly forbidden and should only be used in your internal software system distributing data to clinics (the EMR system).

Error handling request header

When requesting data, in some cases, you will not receive a correlation ID because the error is self-explanatory and straightforward, such as a 401 HTTP code (Unauthorized). Instead, it will provide you with a bunch of error messages in the header. Once again, please provide screenshots if you are reaching out regarding any issues you were unable to solve by yourself, like this one.