Authentication & API Setup
To interact with DrChrono’s API, Bookadoc uses OAuth 2.0, a secure authorization protocol that enables safe access to DrChrono’s services. This authentication ensures that only authorized systems can retrieve and modify appointment data, patient records, and provider schedules.
DrChrono requires API clients to use Client Credentials Grant Flow, which involves obtaining an authorization code and access token before making API requests.
OAuth 2.0 Authentication Process
The authentication process follows these steps:
Authorization
Proceed directly to the Authorization tab of the DrChrono Postman Collection from the collection overview screen. On the Authorization tab choose "OAUTH 2.0" from the "Auth Type" dropdown box. Use the table provided below to complete the configure token section:
| Parameter | Description |
|---|---|
Token Name | DrChronoToken |
Grant type | Authorization Code |
Callback URL | https://www.bookadoc.com |
Auth URL | https://drchrono.com/o/authorize/ |
Access Token URL | https://drchrono.com/o/token/ |
Client ID | Unique identifier for Bookadoc’s integration |
Client Secret | Secret key for authentication |
Scope | labs:read labs:write messages:read messages:write patients:read patients:write patients:summary:read patients:summary:write settings:read settings:write tasks:read tasks:write user:read user:write billing:patient-payment:read billing:patient-payment:write billing:read billing:write calendar:read calendar:write clinical:read clinical:write |
State | Leave as is |
Client Authentication | Leave as is |
Once everything is filled, select the orange button at the bottom of the page - "Get New Access Token".
Error Handling in Authentication
If authentication fails, the API returns an error response. Bookadoc must handle these scenarios properly.
Common Authentication Errors
| Error Code | Description | Resolution |
|---|---|---|
401 Unauthorized | Invalid credentials or expired token | Ensure correct credentials and refresh token if expired |
403 Forbidden | Insufficient permissions | Verify API scope and permissions |
500 Internal Server Error | AthenaHealth service issue | Retry after some time |
Security Best Practices
To ensure secure authentication:
- Store API credentials securely using environment variables.
- Rotate client credentials periodically to reduce security risks.
- Use HTTPS for all API requests to encrypt sensitive data.
Conclusion
Bookadoc authenticates with DrChrono using OAuth 2.0, obtaining an access token to make secure API requests. The integration ensures smooth authentication handling, token renewal, and error management, allowing seamless access to appointment and patient data.