HealthID Knowledge 101 - Solving Authentication (401) issues with HealthID APIs

Hi All,
We have seen a lot of issues where integrators face unauthorized errors while trying to access HealthID APIs.

Here is a quick guide to ensure that you have smooth integration to HealthID APIs:

  1. All HealthID APIs are secured by JWT token issued by https://dev.ndhm.gov.in in sandbox. You can generate a new accessToken by calling https://dev.ndhm.gov.in/gateway/v0.5/sessions API.
  2. Please note that an accessToken has 5 minutes of expiry time (irresptive of usage/idle time).
    So ensure that you are using active token OR always generate a token before calling any HealthID APIs.
  3. In order to call healthID APIs, your clientID must be given appropriate role in NDHM gateway.
    So as part of on-boarding you need to let team know if you want to call HealthID APIs. if you do not have permission to access healthID APIs then you will get unauthorized error.
  4. Profile APIs in HealthID are secured by additional token named as X-Token which you get by authenticating/registering a User.

Flow for calling Authentication/Registration/Search/Forgot HealthID APIs:

  1. Generate accessToken by calling session APIs

curl ‘https://dev.ndhm.gov.in/gateway/v0.5/sessions’ -H ‘User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:79.0) Gecko/20100101 Firefox/79.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ --compressed -H ‘Referer: https://dev.ndhm.gov.in/swagger/ndhm-gateway’ -H ‘Content-Type: application/json’ -H ‘Origin: https://dev.ndhm.gov.in’ -H ‘Connection: keep-alive’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’ --data-raw ‘{“clientId”:“SBX_0000000”,“clientSecret”:“142g733a-2020-4xxx-axx11-222xxxxxxx”}’

  1. Call Authentication/Registration/Search/Forgot API on HealthID
    Get accessToken from the response recieved in step#1 above.
    This accessToken needs to be passed in Authorization header in format of Bearer .
    Let us call Authentication intiation API with it:

curl -X POST “https://healthidsbx.ndhm.gov.in/api/v1/auth/init” -H “accept: /” -H “Accept-Language: en-US” -H "Authorization: Bearer " -H “Content-Type: application/json” -d “{ “authMethod”: “PASSWORD”, “healthid”: “abcd@sbx”}”


Flow for calling Profile APIs:

  1. Generate accessToken by calling session APIs

curl ‘https://dev.ndhm.gov.in/gateway/v0.5/sessions’ -H ‘User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:79.0) Gecko/20100101 Firefox/79.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ --compressed -H ‘Referer: https://dev.ndhm.gov.in/swagger/ndhm-gateway’ -H ‘Content-Type: application/json’ -H ‘Origin: https://dev.ndhm.gov.in’ -H ‘Connection: keep-alive’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’ --data-raw ‘{“clientId”:“SBX_0000000”,“clientSecret”:“142g733a-2020-4xxx-axx11-222xxxxxxx”}’

  1. Call Authentication APIs on HealthID to get User Session Token
    Get accessToken from the response recieved in step#1 above.
    This accessToken needs to be passed in Authorization header in format of Bearer .
    Let us call Authentication intiation API with it:

curl -X POST “https://healthidsbx.ndhm.gov.in/api/v1/auth/init” -H “accept: /” -H “Accept-Language: en-US” -H "Authorization: Bearer " -H “Content-Type: application/json” -d “{ “authMethod”: “PASSWORD”, “healthid”: “abcd@sbx”}”

This API will respond with txnId which must be used in subsequent authentication calls.

  1. Call Authentication API (password method)
curl -X POST "https://healthidsbx.ndhm.gov.in/api/v1/auth/confirmWithPassword" -H  "accept: */*" -H  "Accept-Language: en-US" -H  "Authorization: Bearer <accessToken from Step#1>" -H  "Content-Type: application/json" -d "{  \"password\": \"myPass\",  \"txnId\": \"<txnId recieved in response at Step#2>\"}"
  1. Call Get QRCode API:

curl -X GET “https://healthidsbx.ndhm.gov.in/api/v1/account/qrCode” -H “accept: /” -H “Accept-Language: en-US” -H “X-Token: Bearer <userSessionToken from step#3>” -H “Authorization: Bearer <accessToken from Step#1>”

I hope this helps.
Let us improving our experience of integrating ABDM.

Thanks
ABDM HealthID Team

2 Likes

Hello Sir,
I tried to create health id using https://healthidsbx.ndhm.gov.in/api/v1/registration/mobile/generateOtp but it returns "unauthorized error".
I am using bearer token and X-Hip-Id: SBX_000236.
So I have these queries:
How can I check my account has appropriate permission to create health Id?
If no such permission then how I can get this permission?
Regards

Hi @shekhar,

You should have healthId to access the health ID APIs, check your gateway token, if the role is not present then @neha.parnamican help.

Thanks
Deepak

I have checked, it is not mentioned about Health ID API access permission. So I request @neha.parnami please give the permission or let me know how to get the permission.

Hey @shekhar,

It’s done.
please check now.

thanks

Thank you for your helpful response. It’s working now from postman. I can send OTP. But when try from our development server or localhost using CURL request. It returns Error:No URL set!

Dear Team, We are getting unauthorized access to Health ID API’s. So, please give the permission for our ClientID : SBX_001567
@neha.parnami @Shubhanshu_Shukla

Hey @manikanta4,

Basic roles are already assigned,
@depakpant can you please take this up.

Thanks

I am also getting unauthorized access to Health ID API’s. Please give the permission for Cliend ID - SBX_001548

@neha.parnami @Shubhanshu_Shukla

Hi team,

I guess my teammates forgot to add access to health id APIs while onboarding. Can you guys please help in providing the access? @neha.parnami @shekhar

“clientId”: “SBX_000377”

Thanks

Can someone also give permission to SBX_000259

Hi @neha.parnami … we are facing the similar issue and need access from NFHM side. Can you please grant Health ID API access to Client ID SBX_001526. Thanks!

@shekhar - Can you please expedite it.

@shekhar - Can you please expedite it.

Hi NHA Team,

In order to have access to HealthID APIs, our clientId “SBX_000387” must have hid role in gateway, So could you please provide the consent role to the below client id ASAP.?

“clientId”: “SBX_000387”,

“clientSecret”: “4f1612fb-33ff-4a99-b5ef-86b55243fc14”
Regards,

Ramireddy

Ph No: 7013605477

we are also getting unauthorized access to Health ID API’s. Please give the permission for Cliend ID - SBX_000387

@Dhawal We are getting 401 error for Verify OTP with Aadhaar Health Id Registration with Aadhar - VerifyOtp - unauthorized error
Could you please check if the client id SBX_001751 has access.
Thanks