Authentication
To consume PBM and PSP services through the GraphQL Gateway, you must generate an authentication token and send it in the Authorization header.
Each flow has its own mutation for token generation:
| Flow | Mutation | Header | When to use |
|---|---|---|---|
| PBM | createToken | Authorization | PBM endpoints |
| PSP / Health Passport | createTokenPsp | Authorization | PSP/Health Passport endpoints |
1. PBM Token
To generate the main Gateway access token, use the createToken mutation and provide the credentials supplied by Funcional.
Tip
The same token can be used in multiple requests until it expires.
The PBM token is valid for approximately 1 hour.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| login | String | Yes | User login |
| password | String | Yes | User password |
Request example
mutation {
createToken(
login: "usuario_exemplo"
password: "senha_exemplo"
) {
token
}
}
Response example
{
"data": {
"createToken": {
"token": "eyJhbGciOiJSUzI1NiIs..."
}
}
}
2. PSP / Health Passport Token
For endpoints that integrate with PSP / Health Passport, you must generate a token using the createTokenPsp mutation.
This token must be sent in the Authorization header.
To access PSP features, you must provide the authorized scopes when generating the token.
Use the scopes:
patient_care_apiessential_health_api
Tip
The PSP (Health Passport) token can be reused until it expires.
The PSP (Health Passport) token is valid for approximately 24 hours.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| client_id | String | Yes | Client application identifier |
| client_secret | String | Yes | Client application secret |
| grant_type | String | Yes | OAuth2 authentication type |
| scope | String | Yes | Scopes requested during authentication |
Request example
mutation {
createTokenPsp(
client_id: "client_id_exemplo"
client_secret: "client_secret_exemplo"
grant_type: "client_credentials"
scope: "patient_care_api essential_health_api"
) {
token_type
expires_in
access_token
}
}
Response example
{
"data": {
"createTokenPsp": {
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "eyJhbGciOiJSUzI1NiIs..."
}
}
}
3. Headers
3.1 PBM
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Gateway token generated by the createToken mutation |
Content-Type | Yes | Must be sent as application/json |
3.2 PSP/Health Passport
| Header | Required | Description |
|---|---|---|
Authorization | Yes, for PSP/Health Passport endpoints | PSP token generated by the createTokenPsp mutation |
Content-Type | Yes | Must be sent as application/json |
4. Using Tokens
PBM Requests
For PBM endpoints:
POST /graphql
Content-Type: application/json
Authorization: Bearer {token_pbm}
PSP / Health Passport Requests
For PSP/Health Passport endpoints, send only the PSP token generated by the createTokenPsp mutation:
POST /graphql
Content-Type: application/json
Authorization: Bearer {access_token_psp}
5. Token Expiration
| Token | Approximate validity | How to renew |
|---|---|---|
| PBM | 1 hour | Generate again through createToken |
| PSP | 24 hours | Generate again through createTokenPsp |
If a token expires, the API will return an authentication error.
Error example
{
"errors": [
{
"message": "Unauthorized",
"path": [
"WsAcesso_insertOptinExternal"
],
"extensions": {
"code": "UNAUTHENTICATED",
"originalError": {
"message": "Unauthorized",
"statusCode": 401
}
}
}
],
"data": null
}
6. Summary Flow
PBM Flow
- Call
createTokenusing the PBM application credentials - Send the PBM token in the
Authorizationheader - When it expires, generate a new token
PSP / Health Passport Flow
- Call
createTokenPspusing the PSP application credentials - Send the PSP token in the
Authorizationheader - When it expires, generate a new token