Using the Security and Authorization API
Set up OAuth tokens to enable secure use of Change Healthcare's APIs.
NOTE: Change Healthcare is deprecating the Claims Responses and Reports v1 API. If you use the v1 API, you should begin using the v2 release at your earliest opportunity.
You can also check the Release Notes and the API Documentation. |
Change Healthcare APIs secure all transactions using OAuth2, which requires a bearer token to obtain access.
You use the following Security and Authorization API endpoint to apply secure tokens to all of your API transactions:
Request Method: POST
API Endpoint: /apip/auth/v2/token
Secure Token API Endpoint URLs:
Sandbox (a safe testing environment for all of your contracted API testing):
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token
Production API environment:
https://apigw.changehealthcare.com/apip/auth/v2/token
Please note that a token obtained from the Sandbox endpoint isn't valid for use with the production API; and vice versa. Use the correct secure token API for each operating environment.
Bearer Token Lifetimes
Bearer tokens have a time-limited lifespan, after which they must be renewed. In production use, the lifespan of a token is two hours (7200 seconds). For Sandbox use, a token lifespan is one hour.
Issuing a Bearer Token Request
Use the following to obtain a token:
curl -X POST \
https://sandbox.apis.changehealthcare.com/apip/auth/v2/token \\
-H 'Content-Type: application/x-www-form-urlencoded' \\
-d 'client_id=\<Your-ClientId\>&client_secret=\<Your-ClientSecret\>&grant_type=client_credentials'
Example:
curl -X POST \
https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
-H 'Content-Type: application/x-www-form-urlencoded' \\
-d 'client_id=hghjhgjtgjtgjhhhjasdfhghjhgj\&client_secret=asdfdfjsdhfjhsdhf\&grant_type=client_credentials'
When you use an API client such as Postman, the JSON body for the request
must appear as the following:
{
"client_id": "hghjhgjtgjtgjhhhjasdfhghjhgj",
"client_secret": "asdfdfjsdhfjhsdhf",
"grant_type": "client_credentials"
}
The grant_type
field will always equal “client_credentials”.
For testing, use your sandbox client_id
and client_secret
to get your token. If you do not have your credentials, reach out to your account manager or Change Healthcare contact.
A token response resembles the following:
{
"access_token":
"eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJkc1JvRTMzSFYzbnpkYjh3ak1hWWtFUmY4VVF5IiwiYXVkIjoiYXBpUGxhdGZvcm0iLCJuYmYiOjE2MTA0OTMxMTAsImFwaV9wcm9kdWN0X2xpc3QiOlsiTU5fUHJvZHVjdF9DbGFpbVN0YXR1c192MiIsIk1OX1Byb2R1Y3RfRWxpZ2liaWxpdHlfdjMiLCJNTl9Qcm9kdWN0X1Byb2Zlc3Npb25hbENsYWltc192MyIsIlRQX1Byb2R1Y3RfVHJhZGluZ1BhcnRuZXJzX3Y3IiwiTU5fUHJvZHVjdF9SZXBvcnRzX3YxIiwiTU5fUHJvZHVjdF9BdHRhY2htZW50c192MSIsIk1OX1Byb2R1Y3RfSW5zdGl0dXRpb25hbENsYWltc192MSIsIk1OX1Byb2R1Y3RfUERfQ2xhaW1zU3RhdHVzX3YxIiwiTU5fUHJvZHVjdF9QRF9DbGFpbXNfdjEiLCJNTl9Qcm9kdWN0X1BEX0VsaWdpYmlsaXR5X3YxIiwiVFBfUHJvZHVjdF9UcmFkaW5nUGFydG5lciJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiSU5fQVBJUF9NTl9DSENfVGVzdEFwcCIsImRldmVsb3Blcl9lbWFpbCI6ImNkcHRlYW1AY2hhbmdlaGVhbHRoY2FyZS5jb20iLCJpc3MiOiJodHRwczovL3NhbmRib3guYXBpcy5jaGFuZ2VoZWFsdGhjYXJlLmNvbSIsImV4cCI6MTYxMDQ5NjcxMCwiaWF0IjoxNjEwNDkzMTEwLCJqdGkiOiJjNjQ4ODBjMC1hZDFhLTQ1NzEtOGJjYi02YmI2NGQ1YWRlYTgifQ.t8YPbCuyn_CNXmMIwlIL0y14j-RqO1VsHSkahtXZrf5uURZ0grU_oDepwNeRKf2Sr8norTSEsKvjPSFHaKxb_U7yQ2g9UnyH5PA1X63-Lj5v8h38BdUk19p2GQBJSzmGPEyazvYoCCxSGZ68RN9kZb_WrQWObsrMyb1JFN_zeWa2j3YGgbBglZNO_Wt1Ty6ZQrDWcxeVMlbIRMDAKYBUrmmTTsIpHrol-5YzyYgZVBpO-Hxz_otD4t-_DRx5_cxLl4tG1qi7i2Ddb65eO3XxQU-Ibzb9bAT4HXIR3Ab735cTJMBlK9jCfDc0DDCBkpGAHwJV5rj0zOEitC1xciLt3g",
"token_type": "bearer",
"expires_in": 3600
}
When you want to move to production, remove “sandbox” from the URL and use the following:
https://apigw.changehealthcare.com/apip/auth/v2/token
You will need a separate set of credentials for the Production APIs.
When you have a bearer token, you can use it to call all of your contracted Change Healthcare APIs with these HTTP headers:
content-Type: application/json
authorization: Bearer \<Your-Access-Token>\
Referring to Change Healthcare Security Information
Find out more about our security protocols and their implementation.
Updated 6 months ago