Overview
Your API requests are validated by the secret key included in the Authorization header of your API request. If you don't provide your secret key or provide an invalid or expired key, we will return a 401 - Unauthorized HTTP status code error.
All API requests are made either in test or live mode, and are distinguished by the secret key provided. test mode keys are prefixed with ch_sk_test and live mode keys are prefixed with ch_sk_live. Read more about our API modes here.
Only use
livekeys in your production environment to ensure you don't make changes for your customers, practitioners, and patients while testing.
Sending API requests
Secret key authentication follows the HTTP Basic Auth specification. Provide your secret key as the username and an empty string as the password through the Authorization header of your API request.
Security
Your secret keys authenticate all API requests made by you. Therefore, they must be kept secure. Do not grant access to anyone who doesn't need them and ensure they are never publicly exposed (on a version control system, client-side code, etc).
We recommend storing your
livemode secret keys in an encrypted secrets manager like AWS Secrets Manager.