Authentication

Authentication #

All access to the API is secured with oAuth 2.0 credentials.

For development purposes, we will issue you with Vendor Dev oAuth keys which will allow you full access to the sandbox environment. Here you can run all calls available in the API including adding new locations, adding test providers, and making test claims.

The API uses two types of authentication.

Vendor authentication #

Vendor authentication grants API access to submit and retrieve data for all locations which belong to the Vendor, and to create new locations. If your software runs from a central server, with all API calls originating from that server (e.g a SaaS product) then you will only need Vendor authentication to secure all communications between your server and ours. We expect and will need to verify with you that you securely manage the connection between your server and your clients.

Location authentication #

If your PMS is installed at each site, and API calls will be between those sites and our server, then in addition to your Vendor authentication you will also need to generate location-level credentials for each site, using your Vendor oAuth credentials.

Each site must have their own keys. This is an additional security layer to limit API access for providers at that location to their own data.

Adding and updating location details and provider details requires Vendor authentication. Location-level authenticated calls are not able to make new locations.

For a Vendor to submit and retrieve claims on behalf of one of their locations, an extra query string parameter “?location=?” must be set to identify which location they are working with. The remainder of the request will be limited to objects belonging to that location.

NOTE: If you’re authenticating with location-level credentials, the “?location=?” query string parameter is not required as it is implicit.

Medicare Certificates #

Providers DO NOT require their own Medicare certificates to use the API, which has its own secure connection to Medicare.

Providers may want to have a Medicare Location Certificate for other purposes such as accessing the Health Providers Online Services portal (HPOS). This is fine and won’t interfere with their access to eclaiming using our API. We don’t provide support for these other uses.

Medicare Webservices #

PKI technology is being replaced with Medicare Webservices. In March 2022 all Client Adaptor transmissions to Medicare will cease. The Claiming.com.au API has already made the transition to Webservices so vendors and Practitioners will be unaffected by this change.

Production Environment Access #

When we have verified that your development is complete and successfully reviewed your implementation, we will issue you with Production oAuth keys. Your end users will then be able to verify patient details in realtime, submit live claims to Medicare & DVA and retrieve processing & payment reports.