End-User Authentication
Overview
End-user authentication allows your application to access b.well services on behalf of a specific user. Users authenticate through your existing Identity Provider, and b.well issues access tokens scoped to that user's context.
b.well uses OAuth 2.0 Token Exchange (RFC 8693) with OpenID Connect (OIDC) to enable Single Sign-On (SSO) across your applications while maintaining consistent user identity.
How it Works
- User authenticates — User logs into your application through your Identity Provider (IdP)
- IdP returns ID token — Your IdP issues an OIDC-compliant ID token (JWT)
- Token exchange — Your application sends the ID token to b.well's OAuth token endpoint
- b.well validates token — b.well verifies the token signature and issuer against your registered IdP
- b.well issues access token — b.well returns a scoped access token for the authenticated user
- Access b.well services — Use the access token to authenticate requests to b.well's platform
Note: b.well SDKs and Embeddable UI handle this flow automatically, including token storage, refresh, and request authorization.
Prerequisites
Complete these requirements during onboarding with b.well.
Identity Provider Requirements
Your Identity Provider must support:
- OpenID Connect (OIDC) — Industry-standard authentication protocol
- JWT-based ID tokens — Signed with RS256 or stronger
- OIDC Discovery — Publicly accessible
.well-known/openid-configurationendpoint
Configuration
You provide to b.well:
| Item | Description | Example |
|---|---|---|
| OIDC Discovery Endpoint | Your IdP's OpenID configuration URL (for each environment) | https://auth.yourcompany.com/.well-known/openid-configuration |
| Issuer Identifier | The iss claim value from your IdP's tokens | https://auth.yourcompany.com |
| Unique Identifier | The claim within your IdP’s tokens that is unique across each user | sub |
b.well provides to you:
| Item | Description |
|---|---|
| Client ID | Your application's unique identifier for each environment (Sandbox/Production) |
ID Token Requirements
Your IdP's ID tokens must include standard OIDC claims. b.well validates tokens using your IdP's published public keys (JWKS endpoint) and matches them to user records.
💡 Profile Completion
If required information isn't available in the ID token, some integrations may prompt users to complete their profile after authentication.
Implementation
b.well provides multiple integration paths for end-user authentication. Each method handles token exchange, storage, and refresh — you implement authentication methods in your application code.
Choose your end-user application integration path and follow its workflow guide for implementation details and code examples.
- Embeddable
- Health SDK for Web
- Health SDK for Android
- Health SDK for iPhone (coming soon)
- Health SDK for AI
- Application APIs
OAuth 2.0 Token Exchange is typically the preferred authentication pattern, allowing you to maintain consistent identity management within your application. If you prefer to use b.well as your Identity Provider or need custom authentication patterns, contact the b.well team to discuss options.
Updated 8 days ago