# HealthSherpa ❮ONE❯ Developer Portal Login and Key Management

> Passwordless portal flow for requesting a login link, managing API keys, and requesting approval-gated enrollment access.

## Unauthenticated flow

- Developers request a one-time login link using the same email used for registration.
- If a login link is available for that email, the portal sends one shortly.
- Email verification and approval must already be complete before a portal session is issued.

## Authenticated actions

- Generate an API key
- Reveal a pending API key once
- Confirm that the new key has been stored
- Test current public endpoints from the built-in API explorer
- Contact support from the portal
- Sign out of the current portal session

## Approval-gated access requests

### On-Exchange Direct-to-Consumer Enrollment API

- Developers can submit a freeform reason for requesting on-exchange direct-to-consumer enrollment API access.
- Review is required so HealthSherpa can confirm the consumer enrollment experience meets on-exchange regulatory requirements before access is enabled.
- Approved developers can link HealthSherpa Marketplace from the portal without submitting this request first.

### Off-Exchange Enrollment API

- Developers can submit a freeform reason for requesting off-exchange enrollment access.

## Contact support

- Developers can submit a support question from the authenticated portal.
- The form collects only the question.
- The server includes name and email from the authenticated developer record.
- Submissions are limited to one accepted request per developer per hour.

## Security notes

- Login uses a one-time email link.
- Portal sessions are short-lived.
- Newly provisioned keys are intended to be copied and stored immediately.