# Endpoint overview
All endpoints must be called via HTTPS. Regarding the state parameter:
- Due to browser GET limits and server-side POST limits (for security), avoid overly long values. Up to ~255 characters is fine.
- Only use characters that won’t be mangled by differing encodings/charsets between client and server or affected by security measures like XSS protection. As a rule of thumb, stick to
a-z,A-Z,0-9, and the special characters-+,.=_. - TLS 1.2 and TLS 1.3 (recommended) are supported.
| Endpoint | Description |
|---|---|
| Authorization endpoint | Start the OAuth Authorization Code flow. Use this endpoint to redirect users to DocCheck for authentication; you will receive an authorization code on successful login. Ensure client_id, redirect_uri and scope are correctly set and redirect_uri is URL-encoded. |
| Access token endpoint | Exchange the authorization code (code) you received from the login redirect for an access token. The access token is valid for 1 hour. The refresh token is valid for 180 days. |
| User data endpoint | Retrieve user data with the access token. Values are HTML-encoded (Köln for "Köln"). For JSON encoding, add dc_oauth_format=json to the request. Return values: Overview. |
| Refresh token endpoint | Retrieve a new access token using a refresh token. |