OAuth
Because Humana's APIs involve consumer-mediated exchange of data, we follow the OAuth 2.0 protocols for authentication. When accessing Humana's sandbox APIs, you'll need to follow the instructions below to receive an Authorization Code and an Access Token for a sandbox user. Please note the Authorization Code is only valid for a single use.
Getting an Authorization Code
Copy the link below into a browser window to initiate the member authentication and authorization flow.
https://fhir.humana.com/sandbox/auth/authorize?client_id={your_client_id}&redirect_uri={your_redirect_url}&response_type=code
Use the following guidance to login as a sandbox user: There are currently 20 sandbox users that exist. The username and password pattern is as follows:
| USERNAME | HUser##### |
|---|---|
| PASSWORD | PW#####! |
where '#####' is any '0' padded digit ranging from 00001 up to the number of sandbox users. For Example:
| USERNAME | HUser00007 |
|---|---|
| PASSWORD | PW00007! |
Once the page has loaded, the authorization code will be appended to the URL following the "=".
Getting an Access Token
Now that you have your application credentials and authorization code, perform a post request against the Access Token endpoint using the URL, headers, and body content below.
URL
Headers
| content-type | application/x-www-form-urlencoded |
| accept | application/json |
| authorization | Basic base64({your_client_id}:{your_client_secret}) |
* Not shown in the examples, but we do support the content-type of application/json as well.
Body
| code | {oauth code} |
| grant_type | "authorization_code" |
| redirect_uri | {your_redirect_uri} |
Sample Request
curl --location --request POST 'https://fhir.humana.com/sandbox/auth/token' \
--header 'Authorization: Basic base64({client_id}:{client_secret})' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code={your authorization code}' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri={redirect_uri}'
Sample Response
{
"access_token":"83faec5953c5d13d31545d403dd870694fd21590bb3a",
"token_type":"Bearer",
"expires_in": 3600,
"refresh_token":"d9dd62995b29ac21223bd036c7e5273d3a7c5f96a9eb",
"id_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2Mzk0MDcy
MTUsImV4cCI6MTYzOTQxMDgxNSwiYXVkIjoiYmQwYTBjZmMtMDEwNS00N
DAwLWEyMjEtNGM1YWY1Nzg0ZmE1IiwiaXNzIjoiaHR0cHM6Ly9xYS5odW
1hbmEuY29tIiwic3ViIjoiNjI0NDEwNDUyMjkyMyJ9.L51XoYTE6SEzlZ
oEUGfWzmlOnfOvprz5sTV1N6U3VJQ",
"patient":"66354c676258634e447661303863724d332b6d6e47773d3d",
"scope":"internal openid launch/patient offline_access
patient/Patient.read patient/Coverage.read
patient/ExplanationOfBenefit.read patient/Procedure.read
patient/MedicationRequest.read patient/Immunization.read
patient/CareTeam.read patient/Condition.read patient/CarePlan.read
patient/Observation.read patient/AllergyIntolerance.read
patient/Goal.read patient/DocumentReference.read patient/List.read
}
Getting an Access Token using Refresh Token
After your original access token has expired, you can make a call to retrieve a new access token using your original refresh token. This enables your application to retrieve updated data on behalf of sandbox users on an ongoing basis without requiring the user to navigate the OAuth flow again.
URL
Headers
| content-type | application/x-www-form-urlencoded |
| accept | application/json |
| authorization | Basic base64({client_id}:{client_secret}) |
Body
| refresh_token | {refresh token} |
| grant_type | "refresh_token" |
Sample Request
curl --location --request POST 'https://fhir.humana.com/sandbox/auth/token' \
--header 'Authorization: Basic base64({client_id}:{client_secret})' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'refresh_token={refresh token}' \
--data-urlencode 'grant_type=refresh_token’
Sample Response
{
"access_token": "83faec5953c5d13d31545d403dd870694fd21590bb3a",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "d9dd62995b29ac21223bd036c7e5273d3a7c5f96a9eb",
"id_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2Mzk0MDcy
MTUsImV4cCI6MTYzOTQxMDgxNSwiYXVkIjoiYmQwYTBjZmMtMDEwNS00N
DAwLWEyMjEtNGM1YWY1Nzg0ZmE1IiwiaXNzIjoiaHR0cHM6Ly9xYS5odW
1hbmEuY29tIiwic3ViIjoiNjI0NDEwNDUyMjkyMyJ9.L51XoYTE6SEzlZ
oEUGfWzmlOnfOvprz5sTV1N6U3VJQ",
"patient":"66354c676258634e447661303863724d332b6d6e47773d3d",
"scope":"internal openid launch/patient offline_access patient/Patient.read
patient/Coverage.read patient/ExplanationOfBenefit.read
patient/Procedure.read patient/MedicationRequest.read
patient/Immunization.read patient/CareTeam.read
patient/Condition.read patient/CarePlan.read
patient/Observation.read patient/AllergyIntolerance.read
patient/Goal.read patient/DocumentReference.read patient/List.read
}