Using the Security and Authorization API

Change Healthcare APIs secure all transactions using OAuth2, which requires a bearer token to obtain access.

You use the following Security and Authorization API endpoint to apply secure tokens to all of your API transactions:

Request Method: POST

API Endpoint: /apip/auth/v2/token

Secure Token API Endpoint URLs:

Sandbox (a safe testing environment for all of your contracted API testing):

https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token

Production API environment:

https://apigw.changehealthcare.com/apip/auth/v2/token

Please note that a token obtained from the Sandbox endpoint isn't valid for use with the production API; and vice versa. Use the correct secure token API for each operating environment.

Bearer Token Lifetimes

Bearer tokens have a time-limited lifespan, after which they must be renewed. In production use, the lifespan of a token is two hours (7200 seconds). For Sandbox use, a token lifespan is one hour.

Issuing a Bearer Token Request

Use the following to obtain a token:

curl -X POST \
    https://sandbox.apis.changehealthcare.com/apip/auth/v2/token \\
    -H 'Content-Type: application/x-www-form-urlencoded' \\
    -d 'client_id=\<Your-ClientId\>&client_secret=\<Your-ClientSecret\>&grant_type=client_credentials'

Example:

curl -X POST \
    https://sandbox.apigw.changehealthcare.com/apip/auth/v2/token \\
    -H 'Content-Type: application/x-www-form-urlencoded' \\
    -d 'client_id=hghjhgjtgjtgjhhhjasdfhghjhgj\&client_secret=asdfdfjsdhfjhsdhf\&grant_type=client_credentials'

When you use an API client such as Postman, the JSON body for the request
must appear as the following:

{
    "client_id": "hghjhgjtgjtgjhhhjasdfhghjhgj",
    "client_secret": "asdfdfjsdhfjhsdhf",
    "grant_type": "client_credentials"
}

The grant_type field will always equal “client_credentials”.

For testing, use your sandbox client_id and client_secret to get your token. If you do not have your credentials, reach out to your account manager or Change Healthcare contact.

A token response resembles the following:

{
    "access_token":
    "eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJkc1JvRTMzSFYzbnpkYjh3ak1hWWtFUmY4VVF5IiwiYXVkIjoiYXBpUGxhdGZvcm0iLCJuYmYiOjE2MTA0OTMxMTAsImFwaV9wcm9kdWN0X2xpc3QiOlsiTU5fUHJvZHVjdF9DbGFpbVN0YXR1c192MiIsIk1OX1Byb2R1Y3RfRWxpZ2liaWxpdHlfdjMiLCJNTl9Qcm9kdWN0X1Byb2Zlc3Npb25hbENsYWltc192MyIsIlRQX1Byb2R1Y3RfVHJhZGluZ1BhcnRuZXJzX3Y3IiwiTU5fUHJvZHVjdF9SZXBvcnRzX3YxIiwiTU5fUHJvZHVjdF9BdHRhY2htZW50c192MSIsIk1OX1Byb2R1Y3RfSW5zdGl0dXRpb25hbENsYWltc192MSIsIk1OX1Byb2R1Y3RfUERfQ2xhaW1zU3RhdHVzX3YxIiwiTU5fUHJvZHVjdF9QRF9DbGFpbXNfdjEiLCJNTl9Qcm9kdWN0X1BEX0VsaWdpYmlsaXR5X3YxIiwiVFBfUHJvZHVjdF9UcmFkaW5nUGFydG5lciJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiSU5fQVBJUF9NTl9DSENfVGVzdEFwcCIsImRldmVsb3Blcl9lbWFpbCI6ImNkcHRlYW1AY2hhbmdlaGVhbHRoY2FyZS5jb20iLCJpc3MiOiJodHRwczovL3NhbmRib3guYXBpcy5jaGFuZ2VoZWFsdGhjYXJlLmNvbSIsImV4cCI6MTYxMDQ5NjcxMCwiaWF0IjoxNjEwNDkzMTEwLCJqdGkiOiJjNjQ4ODBjMC1hZDFhLTQ1NzEtOGJjYi02YmI2NGQ1YWRlYTgifQ.t8YPbCuyn_CNXmMIwlIL0y14j-RqO1VsHSkahtXZrf5uURZ0grU_oDepwNeRKf2Sr8norTSEsKvjPSFHaKxb_U7yQ2g9UnyH5PA1X63-Lj5v8h38BdUk19p2GQBJSzmGPEyazvYoCCxSGZ68RN9kZb_WrQWObsrMyb1JFN_zeWa2j3YGgbBglZNO_Wt1Ty6ZQrDWcxeVMlbIRMDAKYBUrmmTTsIpHrol-5YzyYgZVBpO-Hxz_otD4t-_DRx5_cxLl4tG1qi7i2Ddb65eO3XxQU-Ibzb9bAT4HXIR3Ab735cTJMBlK9jCfDc0DDCBkpGAHwJV5rj0zOEitC1xciLt3g",

    "token_type": "bearer",
    "expires_in": 3600
}

When you want to move to production, remove “sandbox” from the URL and use the following:

https://apigw.changehealthcare.com/apip/auth/v2/token

You will need a separate set of credentials for the Production APIs.

When you have a bearer token, you can use it to call all of your contracted Change Healthcare APIs with these HTTP headers:

content-Type: application/json
authorization: Bearer \<Your-Access-Token>\

Referring to Change Healthcare Security Information

Find out more about our security protocols and their implementation.