SPHINX Application Programming Interface for Third Parties
SPHINX Architecture consists of five building blocks featuring components that work both independently and in collaborative ways. The Third-party APIs block enables third-party healthcare solution providers to access and interact with the SPHINX toolkit.
In this context, the SPHINX Application Programming Interface for Third Parties (S-API) enables third-party solution providers to access and interact with the SPHINX Platform and its components. Subject to authentication, authorisation and using end-to-end encryption, S-API exposes advanced cyber security functionalities implemented by SPHINX components, such as device/application certification, threat registry notification and anomaly detection. The third-party interface specification for each component is presented in the respective component subsection. The S-API concept is presented below:
A particularly important feature in S-API consists on the delivery to third-parties of SPHINX device certification functionalities. Specifically, S-API may be used by medical devices manufacturers (constrained hardware running specialised software or firmware) and software services providers (specialised software applications and solutions) to access the SPHINX Sandbox and receive assurance that the device and services are SPHINX-compliant and certified, therefore becoming trusted assets in a SPHINX-secured information technology (IT) ecosystem.
SPHINX provides an open API for third-parties, making its advanced cybersecurity functionalities and cyber certification capabilities available to them. This API provides a set of calls to invoke specific actions. The API calls should be well-documented and open to enable an easy integration by third parties. Via the API, third-parties will be able to discover and find which SPHINX services are available.
Aiming to maximise interoperability and ease of integration, interface specification follows OpenAPI using the Swagger toolset. Moreover, SPHINX supports the following type of interfaces with third-party components:
- Web services based on the REpresentational State Transfer (REST) architecture, allowing devices to access services from the SPHINX Sandbox;
- OAuth2.0 as authorisation framework (RFC 8252 and RFC 6750)
The architecture choice is designed to fully decouple the third-party component from SPHINX.
The high-level architecture for the S-API is presented in the following depiction.
The S-API component provides the following primary functions:
- Administration and Management of the S-API, allowing to manage third-party users, grant/revoke access and define service levels (e.g., permission to use a service, number of requests allowed) according to a third-party profile. This function is also used to define subscription plans for third-parties, each involving specific features and cost models (e.g., free, pay-per-use, monthly rate).
- Third-Party Management Functions, allowing third-party users to create and manage their account, providing information concerning their entity (personal, business or both) and select their appropriate subscription plan. Third-parties can also delete their account (and all associated data) at any time.
- Third-Party Service Access Functions, allowing third-parties to programmatically access functionalities provided by SPHINX services, including receiving notifications.
- Third-Party SPHINX Certification Functions, allowing access to the SPHINX Sandbox in order to validate and receive SPHINX compliance and certification reports concerning a third-party device and services.
The types of users defined for the S-API are:
- S-API Administrator users: refers to users that have administration roles to manage third-parties and their roles.
- S-API Third-Party users: refers to users representing third-parties to SPHINX that wish to access SPHINX services and functionalities via S-API.
The SPHINX Application Programming Interface (API) for Third Parties (S-API) enables third-party solution providers to access and interact with the SPHINX Platform and its components. Subject to authentication, authorisation and using end-to-end encryption, S-API exposes advanced cybersecurity functionalities implemented by the SPHINX components, such as device/application certification, threat registry notification and anomaly detection. S-API therefore brings to SPHINX an easy integration with external components and the possibility for third-parties to extend existing SPHINX functionalities and incorporate additional functions. S-API also brings additional exploitation opportunities related with third-party’s services.
More information about the Third-Parties API can be found at Deliverable 3.6 that is publicly available here.