Using the Security and Authorization API

Set up OAuth tokens to enable secure use of Change Healthcare's APIs.

NOTE: Change Healthcare is deprecating the Claims Responses and Reports v1 API. If you use the v1 API, you should begin using the v2 release at your earliest opportunity.

You can also check the Release Notes and the API Documentation.

Change Healthcare APIs secure all transactions using OAuth2, which requires a bearer token to obtain access.

You use the following Security and Authorization API endpoint to apply secure tokens to all of your API transactions:

Request Method: POST

API Endpoint: /apip/auth/v2/token

Secure Token API Endpoint URLs:

Sandbox (a safe testing environment for all of your contracted API testing):

https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token

Production API environment:

https://apigw.changehealthcare.com/apip/auth/v2/token

Please note that a token obtained from the Sandbox endpoint isn't valid for use with the production API; and vice versa. Use the correct secure token API for each operating environment.

Bearer Token Lifetimes

Bearer tokens have a time-limited lifespan, after which they must be renewed. In production use, the lifespan of a token is two hours (7200 seconds). For Sandbox use, a token lifespan is one hour.

Issuing a Bearer Token Request

Use the following to obtain a token:

curl -X POST \
    https://sandbox.apis.changehealthcare.com/apip/auth/v2/token \\
    -H 'Content-Type: application/x-www-form-urlencoded' \\
    -d 'client_id=\<Your-ClientId\>&client_secret=\<Your-ClientSecret\>&grant_type=client_credentials'

Example:

curl -X POST \
    https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
    -H 'Content-Type: application/x-www-form-urlencoded' \\
    -d 'client_id=hghjhgjtgjtgjhhhjasdfhghjhgj\&client_secret=asdfdfjsdhfjhsdhf\&grant_type=client_credentials'

When you use an API client such as Postman, the JSON body for the request
must appear as the following:

{
    "client_id": "hghjhgjtgjtgjhhhjasdfhghjhgj",
    "client_secret": "asdfdfjsdhfjhsdhf",
    "grant_type": "client_credentials"
}

The grant_type field will always equal “client_credentials”.

For testing, use your sandbox client_id and client_secret to get your token. If you do not have your credentials, reach out to your account manager or Change Healthcare contact.

A token response resembles the following:

{
    "access_token":
    "eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJkc1JvRTMzSFYzbnpkYjh3ak1hWWtFUmY4VVF5IiwiYXVkIjoiYXBpUGxhdGZvcm0iLCJuYmYiOjE2MTA0OTMxMTAsImFwaV9wcm9kdWN0X2xpc3QiOlsiTU5fUHJvZHVjdF9DbGFpbVN0YXR1c192MiIsIk1OX1Byb2R1Y3RfRWxpZ2liaWxpdHlfdjMiLCJNTl9Qcm9kdWN0X1Byb2Zlc3Npb25hbENsYWltc192MyIsIlRQX1Byb2R1Y3RfVHJhZGluZ1BhcnRuZXJzX3Y3IiwiTU5fUHJvZHVjdF9SZXBvcnRzX3YxIiwiTU5fUHJvZHVjdF9BdHRhY2htZW50c192MSIsIk1OX1Byb2R1Y3RfSW5zdGl0dXRpb25hbENsYWltc192MSIsIk1OX1Byb2R1Y3RfUERfQ2xhaW1zU3RhdHVzX3YxIiwiTU5fUHJvZHVjdF9QRF9DbGFpbXNfdjEiLCJNTl9Qcm9kdWN0X1BEX0VsaWdpYmlsaXR5X3YxIiwiVFBfUHJvZHVjdF9UcmFkaW5nUGFydG5lciJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiSU5fQVBJUF9NTl9DSENfVGVzdEFwcCIsImRldmVsb3Blcl9lbWFpbCI6ImNkcHRlYW1AY2hhbmdlaGVhbHRoY2FyZS5jb20iLCJpc3MiOiJodHRwczovL3NhbmRib3guYXBpcy5jaGFuZ2VoZWFsdGhjYXJlLmNvbSIsImV4cCI6MTYxMDQ5NjcxMCwiaWF0IjoxNjEwNDkzMTEwLCJqdGkiOiJjNjQ4ODBjMC1hZDFhLTQ1NzEtOGJjYi02YmI2NGQ1YWRlYTgifQ.t8YPbCuyn_CNXmMIwlIL0y14j-RqO1VsHSkahtXZrf5uURZ0grU_oDepwNeRKf2Sr8norTSEsKvjPSFHaKxb_U7yQ2g9UnyH5PA1X63-Lj5v8h38BdUk19p2GQBJSzmGPEyazvYoCCxSGZ68RN9kZb_WrQWObsrMyb1JFN_zeWa2j3YGgbBglZNO_Wt1Ty6ZQrDWcxeVMlbIRMDAKYBUrmmTTsIpHrol-5YzyYgZVBpO-Hxz_otD4t-_DRx5_cxLl4tG1qi7i2Ddb65eO3XxQU-Ibzb9bAT4HXIR3Ab735cTJMBlK9jCfDc0DDCBkpGAHwJV5rj0zOEitC1xciLt3g",

    "token_type": "bearer",
    "expires_in": 3600
}

When you want to move to production, remove “sandbox” from the URL and use the following:

https://apigw.changehealthcare.com/apip/auth/v2/token

You will need a separate set of credentials for the Production APIs.

When you have a bearer token, you can use it to call all of your contracted Change Healthcare APIs with these HTTP headers:

content-Type: application/json
authorization: Bearer \<Your-Access-Token>\

Referring to Change Healthcare Security Information

Find out more about our security protocols and their implementation.


Did this page help you?