logo
1300 191 676
enterprise Package

API Keys

Api keys provide a way for systems to automatically perform actions within your workspace in response to an event. This could include creating a Compound Direct customer when a customer registers for your website, creating a draft when a customer uploads their prescription, or getting the status of a compound when your customer looks at your website.

Finding API Keys

  1. Go to the ā€˜Settingsā€™ page.
  2. Click on the ā€˜Users & Rolesā€™ button.
  3. Current API keys can be seen under ā€˜API Keysā€™.
  4. Once found click on the API Key to view details.

Creating an API Key

  1. Go to the ā€˜Settingsā€™ page.
  2. Click on the ā€˜Users & Rolesā€™ button.
  3. Click on the ā€˜Create API Keyā€™ button.
  4. Add a name for the new API Key.
  5. Add individual permissions to the API Key.
    • Make sure permissions are limited to only what is needed. API Keys can always have their permissions modified to expand their scope.
  6. Once selected the API Key and API Secret are shown.
    • The API secret will not be available once the window is closed.
  7. Click ā€˜Doneā€™ When finished.

Editing an API Key

  1. Go to the ā€˜Settingsā€™ page.
  2. Click on the ā€˜Users & Rolesā€™ button.
  3. Current API keys can be seen under ā€˜API Keysā€™.
  4. Once found click on the API Key to view details.
  5. Edit the name of the API key as desired.
  6. Add or detach individual permission to the API key as desired.
  7. Click on the ā€˜More actionsā€™ drop-down menu and select ā€˜Deleteā€™ to delete the API Key.
  8. Click on the ā€˜Saveā€™ button when finished to save changes.
  • API Keys must be kept closely guarded, using an API Key any person can access your workspace and your customer data.

API Authorization

  • The authentication is passed in in the ā€˜authorizationā€™ header like so:
Bearer cdapi|THE_API_KEY:THE_API_SECRET

  • The base url is:
https://workspace-name.au-api.compounddirect.com

  • Replace [workspace-name] with the name of your workspace provided to you by the Compound Direct team.
  • Replace [au-api] with the region specific api subdomain, valid subdomains are au-api, us-api, ae-api, uk-api

Webhook Request Authorization


  • Webhooks are sent a maximum of 20 times with an exponential backoff across two days.

  • Webhooks send a header, 'x-compound-direct-hmac-sha256' that will be sent with a sha256 hmac in order to validate the authenticity of the webhook

  • See Example:
function verifyRequest(ctx: Context) {
  const hmacHeader = ctx.request.headers['x-compound-direct-hmac-sha256'];

  if (!hmacHeader) {
    throw new ApiException('Request not valid', 401);
  }

  const hmac = crypto
    .createHmac('sha256', webhookVerificationKey)
    .update(ctx.request.rawBody)
    .digest('base64');

  if (hmac !== hmacHeader) {
    throw new ApiException('Request not valid', 401);
  }
}

API Documentation

Currently the Compound Direct API documentation is only available for enterprise workspaces. Please contact us about the use and documentation of the Compound Direct API.

Related

Pharmacy Workspace Settings
Configuring workspace settings for a pharmacy.
Webhooks
Configuring webhooks to trigger events in connected systems.
Was this page helpful?
;