Authentication

HealthTalk API uses HMAC signature-based authentication for secure access.

Authentication Method

All API requests must include:

X-Gateway-Signature - HMAC signature of the request
X-Timestamp - Unix timestamp of the request
X-Tenant-Id - Your organization’s tenant ID

Generating the Signature


const crypto = require('crypto');
 
function generateSignature(method, path, timestamp, body, secret) {
  const payload = `${method}${path}${timestamp}${JSON.stringify(body || {})}`;
  return crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
}

Example Request


curl -X POST https://api.healthtalk.ai/v1/messages \
  -H "Content-Type: application/json" \
  -H "X-Gateway-Signature: abc123..." \
  -H "X-Timestamp: 1678901234" \
  -H "X-Tenant-Id: your-tenant-id" \
  -d '{"patientId": "123", "message": "Hello"}'

API Keys

API credentials are managed in the HealthTalk admin dashboard:

Navigate to Settings > API
Click Generate New Key
Store the secret securely (it won’t be shown again)
Set IP restrictions if needed

Token Expiration

Signatures are valid for 5 minutes from the timestamp
Requests with expired timestamps are rejected
Clock skew tolerance is 30 seconds

Security Best Practices

Never expose API secrets in client-side code
Rotate API keys regularly
Use IP whitelisting for production systems
Monitor API usage for anomalies

Last updated on March 11, 2026

Overview Endpoints