...

See See Image Download APIs and Image Metadata APIs for more information about each NBIA Search with Authentication REST API.

...

Access to any NBIA Search with Authentication API requires a token that you must request.

...

 This token can then be used on subsequent requests to authorize access to resources. This token will expire in two hours but you can refresh it.

The NBIA REST API supports secure access to private data in the Client Credentials authorization flow with Spring Security and OAuth2. The Client Credentials authorization flow is also known as "signed fetch" or 2-legged OAuth. The following figure illustrates the typical use case for REST API calls made on the web using 2-legged OAuth. For more information regarding the specific workflow, consult the OAuth2 Specification. 

     +---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+

Figure 1: Client Credentials Flow

This flow includes the following steps:

1. The client authenticates with the authorization server and requests an access token from the token endpoint.
2. The authorization server authenticates the client, and if valid, issues an access token.

This token can then be used on subsequent requests to authorize access to resources. The REST API server also supports token expiration and extension by refresh. The time it takes tokens to expire is currently two hours but is configurable.

To access TCIA using an NBIA Search with Authentication REST API, you must do the following:

• Request a token
• Use the token in an API call

Requesting a Token to Use with Restricted Data

Access to any NBIA Search with Authentication REST API requires an access token.  

A request for an access token takes the following structure. Note that USERNAME should be your TCIA username and PASSWORD should be your TCIA password.

Requesting a Token

Access to any NBIA Advanced REST API requires an access token. A request for an access token takes the following structure. Note that USERNAME should be your TCIA username and PASSWORD should be your TCIA password.

curl -X -v -d "username=USERNAME&password=PASSWORD&

curl -X -v -d "username=USERNAME&password=PASSWORD&client_id=NBIA&grant_type=password" -X POST -k https://services.cancerimagingarchive.net/nbia-api/oauth/token

Request a token by interacting with the application in the following way.

1. The application requests credentials. The credentials you pass are different depending on if you want to access public or restricted data (see above).

2. The application sends a request to the service using the credentials you provided as a query string for the body. 

   • grant_type=password
   • username=your TCIA username
   • password=your TCIA password

3. The service responds with access token details and expiration information.

   • access_token
   • expires_in
   • refresh_expires_in
   • refresh_token
   • not-before-policy
   • session_state

   The application makes a request for resources using the returned access token. All APIs listed for accessing public data also support secure access to restricted data with an additional parameter for the access token. 

Requesting a Token to Use with Public Data

If you don't have a TCIA account and want to test an API on this page, you can access public data using the NBIA guest account with no password, as follows.

curl -d "username=nbia_guest&password=&client_id=NBIA&grant_type=password" -X POST -k https://services.cancerimagingarchive.net/nbia-api/oauth/token

How a Token is Returned/Granted/Given

A successful token request returns a standard access token in JSON format. The value after "access_token" will likely be longer than this example.

{"access_token":"f7889076-b3e4-4768-9419-3cd973adda76","token_type":"bearer","refresh_token":"671bb72b-f929-4ef5-a4d7-b52341a6007a","expires_in":7199}

...

If you don't have a TCIA account, you can access public data using the "nbia_guest" account with no password, as follows.

curl -X -v -d "username=nbia_guest&password=&client_id=NBIA&grant_type=password" -X POST -k https://services.cancerimagingarchive.net/nbia-api/oauth/token

How a Token is Returned/Granted/Given

A successful token request returns a standard access token in JSON format. The value after "access_token" will be longer than this example.

{"access_token":"cd2b2895-85d0-49c5-bd75-804f162da942","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgO","not-before-policy":0,"session_state":"92a199c6-84ed-48aa-a0d2-059bbb99bc90","scope":"openid profile email"}

Make a note of the access token you received and pass it with the REST service call.

# Request for modality values and counts        
    
curl -H "Authorization:Bearer YOUR_ACCESS_TOKENcd2b2895-85d0-49c5-bd75-804f162da942" -k "https://services.cancerimagingarchive.net/nbia-api/services/v2/getModalityValuesAndCounts?Collection=LIDC-IDRI"

A successful service request returns the value in a defined format. 

Refreshing the Token

The time it takes tokens to expire is configurable but is currently two hours. You can refresh your access token for an additional two hours by passing the refresh token from your original token request.

# Request for refreshing the token  

curl -X -v -d  "username=USERNAME&client_id=nbia&grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN" -X POST -k https://nbia.cancerimagingarchive.net/nbia-api/oauth/token

In the following result, 7200 is the seconds before the token expires.

{"access_token":"YOUR_ACCESS_TOKEN","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"YOUR_REFRESH_TOKEN","token_type":"Bearer","id_token":"YOUR_ID_TOKEN","not-before-policy":0,"session_state":"531425b6-425d-44f8-bc74-41200d6803c0","scope":"openid profile email"}

Logging Out

The following is an example request to log out. Logging out invalidates the token you previously requested.

# Request for logout
 
curl -X -v -d "Authorization:Bearer YOUR_ACCESS_TOKEN" -k "https://services.cancerimagingarchive.net/nbia-api/logout"

The request does not return any values.

Accessing the National Lung Screening Trial (NLST) collection

Due to its size, the National Lung Screening Trial (NLST) collection lives on a separate NBIA server. Since this server only holds the public NLST collection, there is no reason to create an API token with your own credentials. To access these data via the Advanced REST API, you must change the URL to obtain the authentication token from https://

...

nlst.cancerimagingarchive.net/nbia-api/oauth/token

...

. You can then use https://nlst.cancerimagingarchive.net/nbia-api/services/ to make REST API calls. In both cases, the beginning of the URL is changed from "services" to "nlst."  Examples of requesting a token and performing an API query are shown below:

curl -X -v -d "username=nbia_guest&password=&client_id=NBIA&grant_type=password" -X POST -k https://nlst.cancerimagingarchive.net/nbia-api/oauth/token

curl -H 

In the following result, 7200 is the seconds before the token expires.

{"access_token":"YOUR_ACCESS_TOKEN","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"YOUR_REFRESH_TOKEN","token_type":"Bearer","id_token":"YOUR_ID_TOKEN","not-before-policy":0,"session_state":"531425b6-425d-44f8-bc74-41200d6803c0","scope":"openid profile email"}

Logging Out

The following is an example request to log out.

# Request for logout           
curl -X -v -d "Authorization:Bearer YOUR_ACCESS_TOKEN" -k "https://servicesnlst.cancerimagingarchive.net/nbia-api/logout"

...

services/getBodyPartValuesAndCounts?Modality=PT"

...