Configuring your system to receive and respond

Authenticating your system opens one side of the data traffic highway, so to speak. It's equally important to configure your system to receive and respond to API requests. To successfully exchange data, your system must:

  • be publicly accessible from the internet;
  • accept POST requests;
  • use SSL/TLS encryption (not relevant to development environments); and
  • check the verification token of every incoming request.

Verification tokens vs. access tokens

We recommend using a verification token to authenticate incoming data from Redox—just like an access token authenticates outgoing data to Redox. Checking the verification token ensures that your system only processes data legitimately received from Redox. In other words, it's like checking your caller ID before answering a phone call.

So Redox generates an access token for you to initiate requests, but your system generates a verification token for Redox to push data to you. Both tokens enable both sides of authenticated data exchange.

Before processing an incoming request, we recommend that you verify its legitimacy. You do this by checking that the verification token matches the one you gave to Redox. Learn how to configure and verify an endpoint.

Receiving requests

Once an endpoint is verified, you can begin receiving requests. If you want to receive data for multiple systems, you must verify each one individually. Any request you receive should have the verification token in the header like this:

Example: Verification token headers

"authorization" : "Bearer [your-verification-token]"
"verification-token" : "[your-verification-token]"

If the verification token doesn’t match, it means it’s not from Redox, so you should discard the request without processing.

Responding to requests

The response to any request you receive differs based on the request type and the requirements of your connection's EHR system. Check out how to handle responses for: