API & Services Connection™
Request Sandbox AccessMarketplaceApp RegistryCommunityQuick Reference

Security and Authorization FAQs

Suggest Edits

This section provides tips and solutions to some of the most common questions asked by customers, developer community, and internal staff about the use of the Change Healthcare APIs.

Security and Authorization FAQs

What are the endpoints for getting authorization tokens?

The endpoint for generating an authorization token is, /apip/auth/v2/token. For more information, see Security Protocols and their Implementation.

```javascript
curl -X POST \
  '**https://apigw.changehealthcare.com/apip/auth/v2/token/**' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "<Your-ClientId>",
  "client_secret": "<Your-ClientSecret>",
  "grant_type": "client_credentials"
}'
```

The endpoint for generating an authorization token is, /apip/auth/v2/token. For more information, see Security Protocols and their Implementation.

Are the APIs OAuth 2.0 compliant?

Yes, our APIs are compliant with the OAuth 2.0 specification, which can be found in the attachments.

What grant types are currently supported?

The platform currently supports the client_credentials grant type.

What if my API includes user context?

Platform tokens are appropriate for system-to-system communications. For APIs where user context is required, tokens should be issued by and retrieved from the CIAM system. The API Marketplace supports tokens issued by either of these identity providers.

What is the difference between version 1 and version 2 security and authorization APIs?

  • Version 2 is fully compliant with the expectations outlined in the OAuth 2.0 specification. This is backward-compatible to support the migration of Version 1 clients. The token name usage in v2 is access_token.
  • Version 1 of this API was designed to facilitate the migration of legacy APIs onto the platform. Version 1 should not be used for new implementations. The token name usage in v1 was accessToken.

What is the difference between 'Access Token' & 'IMA-Token'

These are the same, but used to access different portions of Change Healthcare. Any APIs that would fall under this community would use the Access token.

Updated about 1 month ago