Authenticate a legacy API key

Last updated: Apr 14, 2025

DEVELOPER

HEALTH TECH VENDOR

This article is for legacy users since API keys have been deprecated. Learn how to use OAuth keys, which are our preferred authentication method.

If you haven’t already, check out our authentication overview. This article contains instructions for how to authenticate a source with a legacy API key.

Supported APIs

This authentication method is currently only supported for the Redox Data Model API. Remember, this is a deprecated option for legacy users.

Only for engineer roles

Any user in a given environment may view connectivity settings, including sources, destinations, API keys, and authentication credentials. However, you must be assigned to an engineer role to manage them (i.e., create, verify, edit, or delete). Learn about roles.

This how-to is only for users with an engineer role.

Authenticate a legacy API key

Log in to the Redox dashboard.
From the navigation menu, click the Developer page.
By default, the Sources tab opens and displays any configured sources and OAuth API keys. Find the source associated with the legacy API key you want to use. Click the Edit button. Or, to create a legacy API key, follow the steps to create a new source. Legacy API keys are tied 1:1 to a source, so to create a new one, you must create a new source. Then return to these instructions.
The Settings page displays. Copy the legacy API key value and generate a new secret value to send a request for an access token.
Use the following request:
Example: Request for generating an access token
bash
1
curl -X POST https://api.redoxengine.com/auth/authenticate \
2
-H 'Content-Type: application/json' \
3
-d '{"apiKey": "{{api-token}}", "secret": "super-secret-client-secret"}'
Example: Response for generating an access token
json
1
{
2
"accessToken": "13d5faa8-aacd-4a0d-a666-51455b1b2ced",
3
"expires": "2015-03-25T20:52:35.000Z",
4
"refreshToken": "4ed7b234-9bde-4a9c-9c86-e1bc6e535321"
5
}
Use the accessToken (in the first line of the response) to authenticate in later steps. Take note of the expires value, which contains the exact date and time that your access token expires. Access tokens expire 24 hours after retrieval. Then use the refreshToken to retrieve a new access token after this one expires. See the details for refreshing your token further down below.
401 error code
If you attempt to use an expired access token with a request, you'll receive a 401 Unauthorized error.
Authenticate your request. The Data Model API relies on OAuth 2.0 Bearer to authenticate requests. All requests via the Data Model API must contain an Authorization header with a valid access token in the following format: Authorization: Bearer [your-accessToken]
Example: Authorization header for a request
bash
1
curl -X POST https://api.redoxengine.com/endpoint \
2
-H '{"Authorization": "Bearer f81eeac9-7cb0-4a82-951b-724f592723ae"}'

Initiate a request

After successfully authenticating, you can initiate requests to any verified destinations. If you want to send test requests, you can send them to https://api.redoxengine.com/endpoint. Learn how to send test messages.

Canada URL

If you’re operating in Canada, you have to tweak the Redox hostname slightly. Add ca in the URL like this: https://api.ca.redoxengine.com.

Every Data Model API request must contain these headers and body parameters.

Header	Value	Description
Authentication	Bearers `your-authToken`	The token that authenticates your request. This header is required.
Content-Type	application/json	The value that identifies the type of API call.

Parameter	Type	Description
Meta.DataModel	String	The data model corresponding to the type of data you're sending or requesting.
Meta.EventType	String	The event type of the data model that you're sending or requesting. Learn more about event types.
Meta.Source.ID	String	The identifier for the source sending the outgoing request. This parameter is required if you have more than one legacy API key. Learn more about identifying a source.
Meta.Destinations[].ID	String array	Objects with ID value(s) of the endpoint(s) you're sending data to or the endpoint you're requesting data from.

Other required parameters

Each data model has different requirements for parameters. Explore each data model to see their respective requirements.

A request should generally look like this:

Example: General request

bash

1
curl \
2
 -X POST https://api.redoxengine.com/endpoint \
3
 -H "Content-Type: application/json" \
4
 -H "Authorization: Bearer $API_TOKEN" \
5
 -d '{
6
   "Meta": {
7
     "DataModel": "PatientAdmin",
8
     "EventType": "Arrival",
9
     "Destinations": [
10
       {
11
         "ID": "af394f14-b34a-464f-8d24-895f370af4c9",
12
         "Name": "Redox EMR"
13
       }
14
     ]
15
   },
16
   "Patient": {
17
      # … payload omitted
18
   }
19
 }'

Refresh your access token

You can use the refresh token returned from the most recent authentication request to retrieve a new access token via the refresh token endpoint:

Example: Request for refreshing an access token

bash

1
curl -X POST https://api.redoxengine.com/auth/refreshToken \
2
 -H '{"Content-Type": "application/json"}' \
3
 -d '{"apiKey": "{{API-token}}", "refreshToken": "4ed7b234-9bde-4a9c-9c86-e1bc6e535321"}'

The object returned for a successful response is the same as that for the original access token retrieval request noted above.

Refresh token

Refresh tokens are dynamic, so they change and rotate daily. They expire after 7 days of inactivity.

Pro tip: Did you know that requesting new tokens is simpler than using refresh tokens? Plus, you don't have to worry about rotating the refresh token if it's accidentally leaked. We recommend opting for requesting and using new tokens when possible.

Generate a new secret value

If either your API key or secret value are exposed, you must generate a new secret value. Learn how to generate a new secret value.

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.