Getting Started

We're excited to partner with you! If you have any feedback, please let us know at support@counselhealth.com. We continuously improve based on user feedback, please note that these APIs are subject to change.

Surface area	How we integrate
Onboarding and creating a user account	You will be able to own the entire onboarding experience, including the messaging and entry points of driving users to Counsel. Onboarding will be done via API, and Counsel will require first name, last name, date of birth, sex assigned at birth, phone number, and address to successfully create and onboard a user. You can choose to pass in your own custom ID or use a Counsel generated ID.
Authenticating your users	We use API keys to authenticate you for all API requests. To actually load the iframe or WebView, request a one-time signed URL. The URL will be valid for a single use for 7 days, and once loaded the iframe remains valid indefinitely until closed. We can customize how long signed app URLs are valid for.
Acknowledging consents and terms of service	You will collect consent on behalf of Counsel. Our legal teams should pair together to understand what additional terms of service this may require in addition to our existing terms (if any).
Medical profile	You will need to collect medical profile information (e.g. current conditions, medications, etc.) yourself and pass it to Counsel via API. This will enable our doctors to provide immediate, personalized care.
Threads & Chat experience	The threads and chat experience will be embedded as an iFrame or WebView in your mobile/web app, and users will directly create threads in the iFrame or WebView. We recommend that you provide us Figma UI specification that is aligned to your branding so we can white-label the experience. We believe this approach will allow you to go live much faster with Counsel and require less effort.
Physician profile	Users can view details about the physician they are talking to within the Counsel iFrame or WebView experience.
Physician Response Time	Physicians will respond to the first patient message within 15 or 20 minutes depending on our contractual SLA agreement.
Notifications	Counsel will send webhooks to your server for important notifications like new messages from the physician or AI, giving you more control over the notification experience. Counsel can also send SMS to your users on your behalf. The SMS will include a deeplink into your app that ideally loads the Counsel iFrame or WebView directly.

Technical Examples

See Counsel Embedded Example Apps Repo for examples of how to embed the Counsel experience in your app.
For a live demo see https://embedded-demo.counselhealth.com/. Email support@counselhealth.com to get an access code.

API Details

Counsel uses API keys for authentication. All requests must be made from a secure server environment. Please store this securely and treat it like a password. Counsel does not store your API key once it is issued. Reach out to support@counselhealth.com if you need to rotate your API key. We recommend rotating your API key every 3 months.

Idempotency

It’s recommended that all POST and PATCH APIs are passed an header Idempotency_Key. Idmepotency requests will be processed once and the same request can be retried in the event of a failure without side effects. Conflicting requests will result in a 409 error. Keys must be minimum 10 characters.

JWKS Authorization

We strongly recommend asymmetric JWKS authorization with signing keys issued by you in conjunction with Counsel API keys
How it works:
- You create an JWT token signed using a private key
- You share a JWKS URI with a public set of JSON web tokens with Counsel
- You send an API request to the Counsel API with both of the headers
```
curl -X POST <https://api.counselhealth.com/v1/user>
  -H "Authorization: Bearer <YOUR_SIGNED_JWT_TOKEN>"
  -H "x-counsel-api-key: Bearer <YOUR_API_KEY>"
```
- Counsel verifies both the JWT token against your public JSON web tokens and API key
What this ensures:
- A leaked API key alone cannot grant a bad actor access to Counsel
- Both the JWT private key and API key have to be leaked for there to be a security breach
- You never have to share the JWT private key with Counsel
See this for more information

Integration steps

1. Create a user account during onboarding

You will manage the onboarding experience, including the value propositions that you choose to surface and the entry point for the Counsel experience. Capture patient consent in onboarding We must get consent from the user for Counsel’s terms of service. This allows users to message our doctors and for us to retrieve patient medical history from Health Information Exchanges (HIEs). Our legal teams should pair together to understand what additional terms of service this may require.

2. Request a one-time signed URL

Authentication Flow

Request a one-time signed URL: POST /v1/user/{userId}/signedAppUrl
Use the returned url to load the iFrame or WebView
The URL will be valid for a single use for 7 days. Once loaded the iFrame or WebView remains valid indefinitely until closed or explicitly signed out.

3. Embed the Counsel chat experience

The chat experience will be embedded as an iFrame or WebView in your web or mobile app. We will automatically load your custom UI in the chat experience.

<iframe src="${signedAppUrl}" width="100%" height="600px">

4. Sign out users on Counsel

When users sign out of your app or website, you should also sign them out of the Counsel session.

5. Notify your users when they receive a new message

Webhooks notify you of new events such as our physicians sending a new message to your users. Use the content of these webhooks to craft your notification. Alternatively, we can also send white-labeled SMS messages on your behalf to notify your users.

Registered numbers for white-labeled SMS (if applicable):

Test Environment: +16463286871
Production Environment: +18572264443

Counsel requires a deep-link to your application where the Counsel iFrame or WebView is embedded that we will use in our white-labeled SMS communications.

6. Webhooks

Webhooks notify you of new events such as our physicians sending a new message to your users. Once you register a webhook subscription, you will receive webhook events via POST request to your server. We use the Standard Webhooks specification to sign and verify webhook requests.

Webhook request/response behavior:

2xx response codes are considered successful and the event is considered processed.
Requests have a 5 second timeout before they are considered failed.
Failed requests are retried up to 6 times with exponential backoff starting at 10 seconds.
Retries will respect the Retry-After header if present up to a maximum of 900 seconds (15 minutes).

Webhook security

Webhook subscription endpoints must be HTTPS endpoints.
We use the Standard Webhooks symmetric signing method to sign and verify webhook requests.
We will share a secure secret with you. Each incoming request will have a webhook-signature header that you can use to verify the request with the secret.