Skip to main content

Authentication

ClaimRev uses Azure AD B2C with the OAuth 2.0 client credentials grant. You exchange a client id + secret for a bearer token, then include the token on every API call.

Environments

ClaimRev has two B2C environments. Match all four values (token URL, scope, API server, credentials) to whichever environment you're integrating against — they are not interchangeable.

Test / Staging

Token URLhttps://stagingclaimrevcom.b2clogin.com/stagingclaimrevcom.onmicrosoft.com/B2C_1_sign-in-only/oauth2/v2.0/token
Scopehttps://stagingclaimrevcom.onmicrosoft.com/portal/api/.default
API serverhttps://testapi.claimrev.com
Portalhttps://testportal.claimrev.com

Production

Token URLhttps://portalclaimrev.b2clogin.com/portalclaimrev.onmicrosoft.com/B2C_1_sign-in-service/oauth2/v2.0/token
Scopehttps://portalclaimrev.onmicrosoft.com/portal/api/.default
API serverhttps://api.claimrev.com
Portalhttps://portal.claimrev.com

Getting credentials

Each ClaimRev account is issued its own Client ID and Client Secret. The recommended pattern is one client id per account — if you're an EMR or billing service onboarding multiple practices, expect to manage one set of credentials per practice.

To retrieve them:

  1. Sign in to the portal for your environment using the credentials supplied during enrollment. The test environment doesn't email passwords; use the Forgot password link on first login.
  2. From the left-hand menu, open Client Connect.
  3. Copy your Client ID and Client Secret from this screen.

Client Connect is available in both test and production portals.

Requesting a token

Send a POST to the environment's token URL using application/x-www-form-urlencoded:

POST https://portalclaimrev.b2clogin.com/portalclaimrev.onmicrosoft.com/B2C_1_sign-in-service/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id={YOUR_CLIENT_ID}
&client_secret={YOUR_CLIENT_SECRET}
&scope=https://portalclaimrev.onmicrosoft.com/portal/api/.default

Successful response:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 3600
}

(Substitute the staging token URL and scope when targeting the test environment.)

Using the token

Include the token on every API call as a Bearer authorization header:

GET https://api.claimrev.com/api/UserProfile/v1/GetDefaultAccount
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...

GET /api/UserProfile/v1/GetDefaultAccount is a useful first call — it returns the account number associated with your token and confirms your auth is wired correctly end-to-end.

Token lifetime

  • Tokens are valid for 1 hour (expires_in: 3600).
  • The client credentials flow does not issue refresh tokens — request a new token when the current one expires.
  • Cache the token across calls and reuse it until close to expiry. A common pattern is to pre-emptively refresh once a token has fewer than 5 minutes remaining.

Rotating your secret

Self-serve secret rotation is on the roadmap but not yet available. To rotate today, contact ClaimRev support. Plan a brief overlap on your end — once the new secret is issued, deploy and verify it before the old one is invalidated.

Errors

HTTPWhat it means
401 from the token URLThe token request failed — usually a wrong client_id, client_secret, or scope. Azure B2C returns the specific reason in the error and error_description fields. See Microsoft's B2C error reference for the full catalog.
401 from the APIYour token is missing, malformed, or expired — request a new one.
403 from the APIYour client id is authenticated but doesn't have permission for the endpoint or account you're calling. Verify the account scoping, and contact ClaimRev support if you believe access should be granted.

Security reminders

  • Never commit credentials to source control — use environment variables or a secret manager.
  • Never log tokens or secrets, even at debug level.
  • Tokens are bearer credentials: anyone holding a valid token can act as you until it expires.
  • If you suspect a secret is compromised, contact ClaimRev support immediately to rotate it.