Security and Authorization V2
Overview
This documentation describes how to use the platform's standard security API to request an access token that can be used to access other APIs on the platform. The downloadable OpenAPI specification above reflects this implementation. This version of the API is fully compliant with the conventions defined in the OAuth 2.0 specification.
Consumers should note that the token name usage this version onward is,
access_token. The previous API v1 token name usage wasaccessToken.
Certain legacy APIs exposed through this platform, use a legacy Authorization implementation described at the bottom of this summary. Review the Change Log/Release Notes to determine whether a given API uses the standard or legacy Authorization mechanism.
Access Control through Web Tokens
All Change Healthcare Enterprise APIs on this platform are secured using JSON Web Tokens (JWT).
Security and Authorization
Security through TLS
All calls to Change Healthcare APIs are encrypted over HTTPS. Our APIs support connections using Transport Layer Security (TLS) version 1.2 or later.
Authorization token through OAuth2
The Change Healthcare uses OAuth2 to create a secure connection with our API users, which requires a bearer authorization token to obtain access.
NOTE
- For sandbox, the lifespan of a Bearer token is one hour (3600 seconds)
- For production, the lifespan of a Bearer token is two hours (7200 seconds)
APIs components
API Components | Value |
|---|---|
Bearer Authorization Token Endpoint |
|
Request Method |
|
Content-Type Header | Always defaults to |
Authorization Header | Pass the |
| Always |
Generate authorization token
API request header
Content-Type: application/json
Authorization: Bearer <Your-Access-Token>
Authorization token request
```
curl -X POST \
'**https://apigw.changehealthcare.com/apip/auth/v2/token/**' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "<Your-ClientId>",
"client_secret": "<Your-ClientSecret>",
"grant_type": "client_credentials"
}'
```
Authorization token request example
```cURL
curl -X POST \
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
-H 'Content-Type: application/x-www-form-urlencoded' \\
-d 'client_id=hghjhgjtgjtgjhhhjasdfhghjhgj\&client_secret=asdfdfjsdhfjhsdhf\&grant_type=client_credentials'
```
When you use an API client, such as a Postman tool, the JSON body for the request
must appear as follows:
```json
{
"client_id": "hghjhgjtgjtgjhhhjasdfhghjhgj",
"client_secret": "asdfdfjsdhfjhsdhf",
"grant_type": "client_credentials"
}
```
Authorization token response
To test on your sandbox, use your client_id and client_secret to get your token. If you do not have your credentials, reach out to your account manager or contact in Change Healthcare.
```json
{
"access_token":
"eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJkc1JvRTMzSFYzbnpkYjh3ak1hWWtFUmY4VVF5IiwiYXVkIjoiYXBpUGxhdGZvcm0iLCJuYmYiOjE2MTA0OTMxMTAsImFwaV9wcm9kdWN0X2xpc3QiOlsiTU5fUHJvZHVjdF9DbGFpbVN0YXR1c192MiIsIk1OX1Byb2R1Y3RfRWxpZ2liaWxpdHlfdjMiLCJNTl9Qcm9kdWN0X1Byb2Zlc3Npb25hbENsYWltc192MyIsIlRQX1Byb2R1Y3RfVHJhZGluZ1BhcnRuZXJzX3Y3IiwiTU5fUHJvZHVjdF9SZXBvcnRzX3YxIiwiTU5fUHJvZHVjdF9BdHRhY2htZW50c192MSIsIk1OX1Byb2R1Y3RfSW5zdGl0dXRpb25hbENsYWltc192MSIsIk1OX1Byb2R1Y3RfUERfQ2xhaW1zU3RhdHVzX3YxIiwiTU5fUHJvZHVjdF9QRF9DbGFpbXNfdjEiLCJNTl9Qcm9kdWN0X1BEX0VsaWdpYmlsaXR5X3YxIiwiVFBfUHJvZHVjdF9UcmFkaW5nUGFydG5lciJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiSU5fQVBJUF9NTl9DSENfVGVzdEFwcCIsImRldmVsb3Blcl9lbWFpbCI6ImNkcHRlYW1AY2hhbmdlaGVhbHRoY2FyZS5jb20iLCJpc3MiOiJodHRwczovL3NhbmRib3guYXBpcy5jaGFuZ2VoZWFsdGhjYXJlLmNvbSIsImV4cCI6MTYxMDQ5NjcxMCwiaWF0IjoxNjEwNDkzMTEwLCJqdGkiOiJjNjQ4ODBjMC1hZDFhLTQ1NzEtOGJjYi02YmI2NGQ1YWRlYTgifQ.t8YPbCuyn_CNXmMIwlIL0y14j-RqO1VsHSkahtXZrf5uURZ0grU_oDepwNeRKf2Sr8norTSEsKvjPSFHaKxb_U7yQ2g9UnyH5PA1X63-Lj5v8h38BdUk19p2GQBJSzmGPEyazvYoCCxSGZ68RN9kZb_WrQWObsrMyb1JFN_zeWa2j3YGgbBglZNO_Wt1Ty6ZQrDWcxeVMlbIRMDAKYBUrmmTTsIpHrol-5YzyYgZVBpO-Hxz_otD4t-_DRx5_cxLl4tG1qi7i2Ddb65eO3XxQU-Ibzb9bAT4HXIR3Ab735cTJMBlK9jCfDc0DDCBkpGAHwJV5rj0zOEitC1xciLt3g",
"token_type": "bearer",
"expires_in": 3600
}
```
NOTE
When you are ready to move from sandbox to production, replace the sandbox authorization URL with the production URL:
https://apigw.changehealthcare.com/apip/auth/v2/token
Production API credentials
You will need a separate set of credentials for the production APIs. For more information, see API Onboarding.
You can use your bearer token to call all your contracted Change Healthcare APIs with these HTTP headers:
- Content-Type: application/json
- Authorization: Bearer
Legacy Authorization
For more information about the legacy Authorization APIs implementation:
Updated 3 days ago