Authenticate requests
Send the API key with the required Authorization header.
Core concept
Use the correct API host and API key for each ChartHero environment.
ChartHero provides the API host and API keys for each approved environment. Treat each host/key pair as a boundary: send a key only to the API host it was issued for.
Examples in these docs use https://api.example.test as a placeholder host. Replace it with the host ChartHero provides for your integration.
| Environment | Use | Key handling |
|---|---|---|
| Sandbox or test | Synthetic integration development, contract validation, and non-production workflows. | Use test keys only with the matching non-production API host. |
| Production | Approved partner workflows that can access production clinical resources. | Use production keys only from server-side production systems. |
Public REST routes live under /external/v1 for every environment.
https://api.example.test/external/v1
The bundled OpenAPI artifact is published with these docs at /openapi/v1/openapi.json. The artifact describes the v1 contract, not a specific customer environment.
Every request must send the API key in the Authorization header using this exact format:
Authorization: Bearer <api_key>
Do not reuse production keys in local development, shared test tooling, browser code, mobile apps, logs, analytics events, screenshots, or support tickets. If a key may have crossed an environment boundary or been exposed, rotate it before retrying.
API access is enabled per partner organization, environment, route, and scope set. A valid key can still receive 403 when the requested route has not been enabled for that environment or organization.
To get a host, keys, or route enablement, request API access with the environment and routes your integration needs.
Send the API key with the required Authorization header.
Confirm the least-privilege scopes for each enabled route.
Inspect environment-neutral route and schema contracts.