Authentication - Operahealth API

Overview

The Operahealth API uses API key authentication. All requests must include a valid API key in the Authorization header using the Bearer scheme.

Authorization: Bearer opera_live_a1b2c3d4e5f6...

API Key Format

API keys follow a specific format based on environment:

Environment	Example
Production	`opera_live_a1b2c3d4e5f6...`
Development	`opera_demo_a1b2c3d4e5f6...`

Managing API Keys

API keys are managed through your Operahealth dashboard at Settings → API Keys.

Creating a Key

Navigate to your Operahealth dashboard and log in with your credentials.

Go to API Keys

Navigate to Settings → API Keys.

Create a new key

Click Create API Key and give it a descriptive name (e.g., “Production Integration” or “Development Integration”).

Copy and store securely

Copy the key immediately — it won’t be shown again. Store it securely in an environment variable or secrets manager.

Store your API key securely. Once created, the full key cannot be retrieved again. If you lose it, you’ll need to create a new one.

Revoking a Key

Keys can be revoked instantly from the dashboard. Once revoked, any requests using that key will immediately return 401 Unauthorized.

Security Best Practices

Keep API keys secret

Never commit keys to version control - Never expose keys in client-side code - Use environment variables or a secrets manager

Use HTTPS only

API keys must only be transmitted over secure HTTPS connections. The API will reject non-HTTPS requests.

Rotate keys regularly

Periodically revoke old keys and create new ones, especially if team members leave or keys may have been exposed.

One key per integration

Use separate keys for different integrations. This makes it easier to track usage and revoke access for specific integrations without affecting others.

Example Request

Production
Development

const response = await fetch(
  "https://api.prod.operahealth.ai/api/v1/patients",
  {
    method: "POST",
    headers: {
      Authorization: "Bearer opera_live_your_api_key_here",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      firstName: "John",
      lastName: "Doe",
      phoneNumber: "+61412345678",
      email: "john@example.com",
    }),
  }
);

Authentication Errors

Status	Error	Description
`401`	Missing API key	No `Authorization` header provided
`401`	Invalid API key	Key format is incorrect or key doesn’t exist
`401`	Revoked API key	Key has been revoked in the dashboard
`403`	Insufficient permissions	Key lacks required permissions (future)

Example 401 Response

{
  "type": "about:blank",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Missing or invalid API key",
  "instance": null
}

Overview

Patients

​Overview

​API Key Format

​Managing API Keys

​Creating a Key

​Revoking a Key

​Security Best Practices

​Example Request

​Authentication Errors

Overview

API Key Format

Managing API Keys

Creating a Key

Revoking a Key

Security Best Practices

Example Request

Authentication Errors