Bridge Health API: Authentication & Authorization
Overview
The API uses a JSON-based Bearer-token scheme. Clients obtain an access token with a single call to POST /auth/token, then include the access token in the Authorization header of every subsequent request.
Obtaining an access token
- Endpoint:
POST /auth/token - Base URL:
https://api.bridgehealthhub.com - Content-Type:
application/json - Auth on this call: None (uses the client_key / client_secret pair instead)
Request body (schema)
| Field | Type | Required | Notes |
|---|---|---|---|
client_key |
string | Yes | Issued by Bridge Health |
client_secret |
string | Yes | Keep secret—never embed in publicly shipped code |
POST https://api.bridgehealthhub.com/auth/token
Content-Type: application/json
{
"client_key": "<your_client_key>",
"client_secret": "<your_client_secret>"
}
Successful response 200 OK
| Field | Type | Notes |
|---|---|---|
access_token |
string (JWT) | Send in Authorization: Bearer … |
expires_in |
integer | Lifetime of the access token in seconds |
refresh_token |
string (JWT) | Use to obtain a new access token without re-authenticating |
token_type |
string | Always "Bearer" |
{
"data": {
"access_token": "eyJhbGciOiJIUzI1NiIsInR …",
"expires_in": 599,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR …",
"token_type": "Bearer"
},
"message": "Success",
"success": true
}
Example curl
curl -X POST https://api.bridgehealthhub.com/auth/token \
-H "Content-Type: application/json" \
-d '{
"client_key": "<your_client_key>",
"client_secret": "<your_client_secret>"
}'
Example python
import requests
import json
url = "https://api.bridgehealthhub.com/auth/token"
payload = json.dumps({
"client_key": "<your_client_key>",
"client_secret": "<your_client_secret>"
})
headers = {
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
Example java
OkHttpClient client = new OkHttpClient().newBuilder()
.build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType, "{\n \"client_key\": \"UYlphIcADIQJiHS2vEX5Kq0RBv2T4DYZ\",\n \"client_secret\": \"vgQo_Gcpen5JyzPKmgxjEfyc67UcZHhwC4MzIPEG30Cvm8S7XFVJv6PE9L7WCGSsJw_N0BKpX6FO2yoeLXPAa48Z7IhsmdIQ4FQM2LLj841FvsyB_dlJbBZDEGGovG2eVIvXx5A7mswrDZxOwpTY66uguh4wMs2YFL0Kyy_iZAI\"\n}\n");
Request request = new Request.Builder()
.url("https://api.bridgehealthhub.com/auth/token")
.method("POST", body)
.build();
Response response = client.newCall(request).execute();
Example C#
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://api.bridgehealthhub.com/auth/token");
var content = new StringContent("{\n \"client_key\": \"UYlphIcADIQJiHS2vEX5Kq0RBv2T4DYZ\",\n \"client_secret\": \"vgQo_Gcpen5JyzPKmgxjEfyc67UcZHhwC4MzIPEG30Cvm8S7XFVJv6PE9L7WCGSsJw_N0BKpX6FO2yoeLXPAa48Z7IhsmdIQ4FQM2LLj841FvsyB_dlJbBZDEGGovG2eVIvXx5A7mswrDZxOwpTY66uguh4wMs2YFL0Kyy_iZAI\"\n}\n", null, "text/plain");
request.Content = content;
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());
Using the access token
Include the token in every request:
POST /enroll
Host: https://api.bridgehealthhub.com
Authorization: Bearer <access_token>
Content-Type: application/json
Example:
curl https://api.bridgehealthhub.com/enroll \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{
"thcoPatientID": "THCO 9",
"cboID": 1,
"pharmacyID": "1",
"insuranceType": "Commercial",
"zipCode": "75034"
}
Refreshing an Expired Token
Token lifetime & Refresh Flow:
| Step | Action |
|---|---|
| 1 | Track the expires_in value returned with the access token. |
| 2 | When (or just before) it expires, call POST /auth/token/refresh (confirm exact path with backend; common variant is /auth/refresh), sending the refresh_token in the body or as Authorization: Bearer (implementation-specific). |
| 3 | The server returns a fresh access_token / expires_in. Keep using your original refresh_token unless the response supplies a new one. |
When the expires_in has elapsed, call /auth/refresh:
POST https://api.bridgehealthhub.com/auth/refresh
Authorization: Bearer <refresh_token>
Example curl
curl --location --request POST 'https://api.bridgehealthhub.com/auth/refresh' \
--header 'Authorization: ••••••'
Example python
import requests
url = "https://api.bridgehealthhub.com/auth/refresh"
payload = {}
headers = {
'Authorization': '••••••'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
Example java
OkHttpClient client = new OkHttpClient().newBuilder()
.build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
.url("https://api.bridgehealthhub.com/auth/refresh")
.method("POST", body)
.build();
Response response = client.newCall(request).execute();
Example C#
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://api.bridgehealthhub.com/auth/refresh");
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());
The server returns a new access_token. If the call fails with 401 or 403, you must repeat the original /auth/token request with client_key & client_secret.
Authentication Errors
401 Unauthorized
This error response is presented when the client_key or client_secret in the /auth/token request is incorrect.
{
"error": {
"code": "UNAUTHORIZED",
"details": "Invalid credentials"
},
"message": "Unauthorized",
"success": false
}
400 Bad Request
This error response is presented when one of the required fields in the body of the /auth/token request (either client_key or client_secret) is missing.
{
"error": {
"code": "BAD_REQUEST",
"details": "Invalid client key or secret"
},
"message": "Bad request",
"success": false
}