CoWin Protected API - what are the required headers

[ganeshksp]

Can any one mention what are the headers needed to access each sandbox api url ?? Right now, i am not sure whether to use 'x-api-key' or 'Authorization' ?

[big89]

@ganeshksp You can check on given API portal for each API by executing it, that what headers we need to pass.

Like for /v2/auth/generateOTP API, following is the curl request, you can see headers having 'x-api-key' passed -

curl -X POST "https://cdndemo-api.co-vin.in/api/v2/auth/generateOTP" -H "accept: application/json" -H "x-api-key: 3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi" -H "Content-Type: application/json" -d "{\"mobile\":\"9876543210\"}"

Also, for /v2/appointment/schedule API, following is the curl request with header 'Authorization' which is a bearer token issued after OTP verification.

curl -X POST "https://cdndemo-api.co-vin.in/api/v2/appointment/schedule" -H "accept: application/json" -H "Authorization: Bearer U2FsdGVkX1+I3zer1vBDHflPqNU9JR8toE+sB1dLx4A4y0coFZTgjJOIByMVcMtXj+U6p2uEl/0ASuzkxO6gFg==" -H "Content-Type: application/json" -d "{\"dose\":1,\"session_id\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"slot\":\"FORENOON\",\"beneficiaries\":[\"1234567890123\",\"9876543210987\"]}"

So, you can check each API call and confirm what headers are required in that API call.

Thanks, Logicmaker

[ajitsb]

To get the certificate you need to use the autorize token. Authorization: Bearer '.$token //here $token is a new token value recieved after running the confirmOTP API. Hope helpful.

[ganeshksp]

here is my code which is not working when i use sandbox url. let me know if i am doing any thing wrong.

getOTP(mobile: any): Observable'otpacct' { const headers = new HttpHeaders({ 'accept': 'application/json' , 'x-api-key' : '3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi', 'Content-Type' : 'application/json' }); return this.http.post("https://cdndemo-api.co-vin.in/api/v2/auth/generateOTP", { "mobile" : mobile }, { headers }) .pipe( tap(data => console.log('get otp success')), catchError(this.handleError) ); }

[big89]

@ganeshksp Check following PHP code is working -

`<?php $ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'https://cdndemo-api.co-vin.in/api/v2/auth/generateOTP'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, '{"mobile":"9876543210"}');

$headers = array(); $headers[] = 'Accept: application/json'; $headers[] = 'X-Api-Key: 3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi'; $headers[] = 'Content-Type: application/json'; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); } curl_close($ch);

echo $result; ?>`

Thanks, Logicmaker

[badinenisaivardhan]

@ganeshksp Working Code For Public OTP And Private OTP API Generation In Nodejs, concerate on the endpoints

//Public API OTP GENERATION

var request = require('request'); var options = { 'method': 'POST', 'url': 'https://cdn-api.co-vin.in/api/v2/auth/public/generateOTP', 'headers': { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'application/json, text/plain, /', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br', 'Content-Type': 'application/json' }, body: JSON.stringify({ "mobile": "PhoneNumber" })

}; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); });

//Private Protected API OTP GENERATION var mobilenumber = req.body.mobilenumber var options = { 'method': 'POST', 'url': 'https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP', 'headers': { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'application/json, text/plain, /', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br', 'Content-Type': 'application/json' }, body: JSON.stringify({ "mobile": "PhoneNumber", "secret": "RandomSecretHash" //Can Be Obtained From Website XHR JSON-Body Call })

    };
    request(options,mobilenumber, function (error, response) {
    if (error) throw new Error(error);
    console.log(response.body)
    });

[big89]

On https://apisetu.gov.in/public/api/cowin API portal, Public APIs are open for all, Protected APIs are not open without API Key. This are provided for official use after registration.

Also, API calls inspected from https://selfregistration.cowin.gov.in/ portal are different and unofficial.

[hpk22]

Any info abt cancel API..? How to use it? Please let me know

[big89]

@hpk22 You can check below PHP code for the same.

`<?php $ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'https://cdndemo-api.co-vin.in/api/v2/appointment/cancel'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "{\"appointment_id\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"beneficiariesToCancel\":[\"1234567890123\",\"9876543210987\"]}");

$headers = array(); $headers[] = 'Accept: /'; $headers[] = 'Authorization: Bearer 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'; $headers[] = 'Content-Type: application/json'; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); } curl_close($ch);

echo $result; ?>`

You will get Authorization Bearer token in the response of /v2/auth/confirmOTP API call.

Thanks, Logicmaker

[mkangia]

Hi @big89

Thank you for your responses here. These are really helpful. Can you please help with the following,

I am trying to access the protected APIs where I am able to generate OTP and even fetch Meta information like "Get list of beneficiary Id types".

However I am unable to confirm OTP received on phone or register a new beneficiary. I get back {'errorCode': 'USRAUT0014', 'error': 'Invalid OTP'} for confirmOTP and 401 for new beneficiary registration. I am using the same set of headers for all requests, while changing the data to be sent, as requested by the API end point.

is there any additional access that is to be granted for POST requests like registering a new beneficiary? Also, the OTP sent on phone is 6 digit but the one in example on API docs is a long string for confirmOTP, is it to be hashed in a certain way?

[ganeshksp]

Hey @mkangia send sha256 hash of the otp.

thanks for all your reply’s guys. I found that when I .net code to consume apis everything is working fine. So I guess Cors error I am facing is because of how my code is written. I already found some material in angular.io site how to prevent this. So I am good and will be closing this issue.

[mkangia]

Thank you @ganeshksp

Still need help with beneficiary registration.

Can someone confirm if its possible to test the api for beneficiary registration with just the test api key mentioned for the protected APIs? or a separate access is to be requested.

[badinenisaivardhan]

Sanbox - Proctected API Testing Process (Which I Used And Tested Personally.. ) - WORKING FINE

Step 1 : Use x-api-key with value "3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi" in header and generate otp and authenticate it to get token Step 2 : Use Authorization with value "Bearer token", and x-api-key in header and make a request to /v2/registration/beneficiary/new
with body { "name": "Your Name", "birth_year": "1980", "gender_id": 1, "photo_id_type": 1, "photo_id_number": "Unique Value", "comorbidity_ind": "Y", "consent_version": "1" } // On Success, Beneficiary id is displayed Step 3: Check for slot using dist code : 151(GOA-it worked for me in sandbox), it show some hospitals... and to make a slot booking,... // Authentication APIs,Metadata APIs,Vaccination Appointment APIs, Working Fine --- As per my testing experience // Certificate APIs --- Not Tested due to vaccinator and Certificate API require an testing approval Thanks ...!

[mkangia]

Thank you @badinenisaivardhan

[FinalGetsugaa]

@big89 @badinenisaivardhan How to do Schedule Appointment Request , I'm. getting error---> 401 Unauthenticated Access , even when I passed the right Auth Token and that too within its expiry time.

Below is the curl , (Session Id is also correct , I have checked it):-

curl --location --request POST 'https://cdndemo-api.co-vin.in/api/v2/appointment/schedule' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJmOGFhMDk1Mi1iMzBhLTQ0YzQtOTU0ZC1lZGZiYjU5YzZkOGIiLCJ1c2VyX2lkIjoiZjhhYTA5NTItYjMwYS00NGM0LTk1NGQtZWRmYmI1OWM2ZDhiIiwidXNlcl90eXBlIjoiQkVORUZJQ0lBUlkiLCJtb2JpbGVfbnVtYmVyIjo5NjM2MTU2MjQyLCJiZW5lZmljaWFyeV9yZWZlcmVuY2VfaWQiOjQ4MTA1NDU1NjY0MjIwLCJzb3VyY2UiOnt9LCJ1YSI6IlBvc3RtYW5SdW50aW1lLzcuMjYuOCIsImRhdGVfbW9kaWZpZWQiOiIyMDIxLTA2LTIzVDExOjUwOjIyLjA1NloiLCJpYXQiOjE2MjQ0NDkwMjIsImV4cCI6MTYyNDQ0OTkyMn0.Q6h1swXEVlMlrt-MZkI3hQzJNRLvc9XJK36JzLXozKo' \ --header 'x-api-key: 3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi' \ --header 'Content-Type: application/json' \ --data-raw '{ "dose": 1, "session_id": "4331aa96-3974-4d9a-9940-dabfcb24bda4", "slot": "FORENOON", "beneficiaries": [ "56651394507960" ] }'

[badinenisaivardhan]

hey @FinalGetsugaa , can you explain the steps that u followed, so that we can understand the issue

[FinalGetsugaa]

@badinenisaivardhan it worked when I logged in from different mobile , I have some doubts , it will be great if you can please ans them.

1. Is there any specific no of times for which we can hit these auth token protected APIs?
2. Which is the most preferable dist code to find the sessions
3. How to test generate certificate APIs (suppose we have booked schedule one for the same day)

[badinenisaivardhan]

@FinalGetsugaa

1. i think its 25 to 30 times in 10 mins --- (To be more secure)
2. goa it worked for me distcode : 151
3. try vaccinator api and complete vaccine so that only we will get the certificate generate,---( i have not tried it yet..!) Thanks..!

[FinalGetsugaa]

@badinenisaivardhan Thanks a lot man!!

[FinalGetsugaa]

@badinenisaivardhan Is there another way to test the certificate APIs because Vaccinator API access is only with state govts?

[klodha]

@FinalGetsugaa did you get any way to mark beneficiary vaccinated in sandbox env? We can't use vaccinator API on sandbox as sandbox api-key for the same is not available and protected api key doesn't work.

I have booked slot for 2 test beneficiaries (1st dose) and need to test flow for 2nd dose, so 1 of them must be marked as vaccinated. I am not getting how to update his record in sandbox.