Using the Security and Authorization API
Set up OAuth tokens to enable secure use of Change Healthcare's APIs.
Change Healthcare APIs secure all transactions using OAuth2, which requires a bearer token to obtain access.
You use the following Security and Authorization API endpoint to apply secure tokens to all of your API transactions:
Request Method: POST
API Endpoint: /apip/auth/v2/token
Secure Token API Endpoint URLs:
Sandbox (a safe testing environment for all of your contracted API testing):
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token
Production API environment:
https://apigw.changehealthcare.com/apip/auth/v2/token
Please note that a token obtained from the Sandbox endpoint isn't valid for use with the production API; and vice versa. Use the correct secure token API for each operating environment.
Bearer Token Lifetimes
Bearer tokens have a time-limited lifespan, after which they must be renewed. In production use, the lifespan of a token is two hours (7200 seconds). For Sandbox use, a token lifespan is one hour.
Issuing a Bearer Token Request
Use the following to obtain a token:
curl -X POST \
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
-H 'Content-Type: application/x-www-form-urlencoded' \\
-d 'client_id=\<Your-ClientId\>&client_secret=\<Your-ClientSecret\>&grant_type=client_credentials'
Example:
curl -X POST \
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
-H 'Content-Type: application/x-www-form-urlencoded' \\
-d 'client_id=hghjhgjtgjtgjhhhjasdfhghjhgj\&client_secret=asdfdfjsdhfjhsdhf\&grant_type=client_credentials'
When you use an API client such as Postman, the JSON body for the request must appear as the following:
{
"client_id": "hghjhgjtgjtgjhhhjasdfhghjhgj",
"client_secret": "asdfdfjsdhfjhsdhf",
"grant_type": "client_credentials"
}
The grant_type field will always equal “client_credentials”.
For testing, use your sandbox client_id and client_secret to get your token. If you do not have your credentials, reach out to your account manager or Change Healthcare contact.
A token response resembles the following:
{
"access_token":
"eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJkc1JvRTMzSFYzbnpkYjh3ak1hWWtFUmY4VVF5IiwiYXVkIjoiYXBpUGxhdGZvcm0iLCJuYmYiOjE2MTA0OTMxMTAsImFwaV9wcm9kdWN0X2xpc3QiOlsiTU5fUHJvZHVjdF9DbGFpbVN0YXR1c192MiIsIk1OX1Byb2R1Y3RfRWxpZ2liaWxpdHlfdjMiLCJNTl9Qcm9kdWN0X1Byb2Zlc3Npb25hbENsYWltc192MyIsIlRQX1Byb2R1Y3RfVHJhZGluZ1BhcnRuZXJzX3Y3IiwiTU5fUHJvZHVjdF9SZXBvcnRzX3YxIiwiTU5fUHJvZHVjdF9BdHRhY2htZW50c192MSIsIk1OX1Byb2R1Y3RfSW5zdGl0dXRpb25hbENsYWltc192MSIsIk1OX1Byb2R1Y3RfUERfQ2xhaW1zU3RhdHVzX3YxIiwiTU5fUHJvZHVjdF9QRF9DbGFpbXNfdjEiLCJNTl9Qcm9kdWN0X1BEX0VsaWdpYmlsaXR5X3YxIiwiVFBfUHJvZHVjdF9UcmFkaW5nUGFydG5lciJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiSU5fQVBJUF9NTl9DSENfVGVzdEFwcCIsImRldmVsb3Blcl9lbWFpbCI6ImNkcHRlYW1AY2hhbmdlaGVhbHRoY2FyZS5jb20iLCJpc3MiOiJodHRwczovL3NhbmRib3guYXBpcy5jaGFuZ2VoZWFsdGhjYXJlLmNvbSIsImV4cCI6MTYxMDQ5NjcxMCwiaWF0IjoxNjEwNDkzMTEwLCJqdGkiOiJjNjQ4ODBjMC1hZDFhLTQ1NzEtOGJjYi02YmI2NGQ1YWRlYTgifQ.t8YPbCuyn_CNXmMIwlIL0y14j-RqO1VsHSkahtXZrf5uURZ0grU_oDepwNeRKf2Sr8norTSEsKvjPSFHaKxb_U7yQ2g9UnyH5PA1X63-Lj5v8h38BdUk19p2GQBJSzmGPEyazvYoCCxSGZ68RN9kZb_WrQWObsrMyb1JFN_zeWa2j3YGgbBglZNO_Wt1Ty6ZQrDWcxeVMlbIRMDAKYBUrmmTTsIpHrol-5YzyYgZVBpO-Hxz_otD4t-_DRx5_cxLl4tG1qi7i2Ddb65eO3XxQU-Ibzb9bAT4HXIR3Ab735cTJMBlK9jCfDc0DDCBkpGAHwJV5rj0zOEitC1xciLt3g",
"token_type": "bearer",
"expires_in": 3600
}
When you want to move to production, remove “sandbox” from the URL and use the following:
https://apigw.changehealthcare.com/apip/auth/v2/token
You will need a separate set of credentials for the Production APIs.
When you have a bearer token, you can use it to call all of your contracted Change Healthcare APIs with these HTTP headers:
content-Type: application/json
authorization: Bearer <Your-Access-Token>
Referring to Change Healthcare Security Information
Find out more about our security protocols and their implementation.
Updated 2 months ago