When authenticating with HealthHero API's you'd need to use your unique Client ID and Secret to request jwt tokens. These tokens are then sent in the Authorization header with any request to the Traversal API
Authorization: Bearer $mytoken. We recommend building an authentication proxy into the backend of your website, so you can store your Client ID and Secret on the backend safely where no one can find them and request tokens when needed.
The architecture would look something like this:
First of all your traversal client, be it embedded, npm library or custom, will make requests to the proxy endpoint of your website. This gives you control of how you want to secure calls between the front end and backend of you application. CORS, sessions, cookies, bearer tokens, etc can be checked by your proxy to ensure the request is authorised.
Then your proxy can use your Client ID and Secret to request and store a bearer token to authenticate the request with the traversal apis. Bearer tokens expire after a short period of time, so your proxy can check if the stored token has expired and request a new one, or continue using the valid token if it is still valid to prevent a http request for a token with every request to the traversal api.
Your proxy can add your token to the Authorization header of your request and then forward the request to the traversal api. When the proxy recieves a response from the traversal api, it can return the response to the frontend to be handled accordingly.