Integrating with the API for our practice management system

We transitioned to a cloud-based SaaS legal practice management system about a year ago. It’s been going fine, after some initial hiccups in the roll-out (a story for another time). But we were just subbed out of a case, rare but it happens, and come to realize there’s no easy way to export all of the meta data we’ve created for a case. Our “file” is no longer just paper documents (or the PDF equivalents). When being subbed out, our ethical duty is to provide the client (or, in this case, their new counsel): “all client materials and property [] includ[ing] correspondence, pleadings, deposition transcripts, experts’ reports and other writings, exhibits, and physical evidence, whether in tangible, electronic or other form, and other items reasonably necessary to the client’s representation,” Rules of Professional Conduct 1.16(e)(1). So I sat down today and created an API key and figured out how to at least authenticate, in hacked-together PHP code. Heavier lifting tomorrow. Er, later today.

Screenshot of BBEdit with a WireShark capture loaded

Now, my plan is to provide the data as I download it, in JSON format. It’s very much an industry standard (and an increasingly popular one) (and has been a linga franca since at least 2013). I suspect the new firm will have no idea what do to with it; they’re a “PDF shop,” and, not to stereotype, but the main attorney has a 5-digit bar number. But, if they’re in violation of Rules of Professional Conduct 1.1's duty of competence (specifically, the “duty to keep abreast of the changes in [...] the benefits and risks associated with relevant technology,” well, that’s on them:

“To maintain a responsible awareness of the “benefits and risks” of relevant technologies, a lawyer today must be an informational omnivore with a sustained interest in technology as a fundamental building block of the contemporary world. And that interest must include a working knowledge of the infrastructure that enables and empowers today’s technology, if only to be made aware of one’s blind spots and protect oneself from the dangers of technological apathy.” (For a Lawyer, What Does “Technology Competence” Really Mean?, 20 Apr 2018.)

Pulling my hair out trying to figure out this issue; I was sending a subsequent API request using the authentication information returned by the call to /session but it was giving me a 500 error and this JSON payload:

{"message":"Something broke!","error":"JsonWebTokenError: jwt must be provided"}

Turns out I needed to actually include the string 'Bearer ' in the Authorization header, then the accessToken the /session call had provided:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9 [...]

At least I’m not the only one for whom this was a WTF...