Authenticating Redox APIs

No one answers the phone when they don’t recognize the number on the screen. Unless you ordered food delivery, in which case you take a chance lest the delivery person needs help finding you. But generally, we swap phone numbers and send a text to someone we actually want to talk to so that they know it’s us when we want to communicate with them later. In other words, you’re authenticating your identity. 

But what happens when you change your phone number? Simple, you send another text to confirm your identity with a new phone number. 

Authenticating your configuration with Redox is similar in concept: we want to make sure it’s you on the other end of that call, and we do this by giving you an API key and secret. Secret values are how your system proves its identity to us.

First, you plug in the API key and secret in the Redox dashboard. Then, when you send an authentication request with these values, we generate an access token for you that’s good for 24 hours, which allows you to freely initiate requests and receive data back.

Request types

Authenticating your system is specifically for SEND and REQUEST type of requests.

Using multiple keys

We recommend having an API key and secret for each environment. For most systems, this means having one each for development, staging, and production.

However, you have the flexibility to create more than one API key and secret for a given environment, depending on how you want to control access. This depends on your unique security practices. If, for example, you have two development teams working in the same environment, it may be useful to have an extra key and secret so that the keys can be used within the context of one development team. 

But it’s your call on how many keys to use—yes, you’re welcome for that unintentional, but delightful pun.

Keep your secrets safe

Your API key and secret should be kept secure and should never be exposed to a client for production data.

Multiple API keys for the Redox Data Model API

If you decide to use multiple API keys per environment type, the Meta.Source.ID field is required in any of your outgoing API requests with the Data Model API. This is required since OAuth API keys are organization-level keys, not system-specific, and Redox needs to be able to distinguish which system initiated the message to route it appropriately.

If you're using multiple legacy API keys per environment type, the Meta.Source.ID field is optional since the legacy API keys are inherently specific to a given system anyways.

Authentication methods

You have two options for authenticating your configuration with Redox.

Receiving responses

Once you complete your authentication and receive an access token, you're ready to initiate and receive requests. Responses to your requests differ based on the type of request made and whether you require a response from your partner’s EHR system. Learn more about: