Order Tracking Links

Generate direct links that give providers and employees instant access to a specific order in the BlueHive tracking portal — no manual form entry required.

How It Works

The BlueHive order tracking portal at bluehive.com/order/track/ accepts a base64-encoded JSON payload in the URL hash fragment (after the #). This payload contains the order lookup fields that would otherwise be entered manually on the SPA form at bluehive.com/spa.

When a user visits a tracking link, the SPA reads window.location.hash, decodes the base64 payload, extracts the order parameters, and immediately loads the order — skipping the manual entry form. Because the hash fragment is never sent to the server, patient data stays client-side and does not appear in server logs, analytics, or referrer headers.

URL Format

Order tracking URLs use this structure:

https://bluehive.com/order/track/#{base64_encoded_json}

The base64 payload is placed after the # (hash fragment). This is intentional — hash fragments are never sent to the server in HTTP requests, which means the patient's name, date of birth, and order details never leave the browser. The SPA reads the hash client-side via window.location.hash. Query parameters and path segments are not supported.

Incorrect formats
# ❌ WRONG — plain query parameters (will not work)
https://bluehive.com/order/track/?orderAccessCode=W2YQL&orderNumber=011425-1-11099&dob=1994-08-06&lastName=Example

# ❌ ALSO WRONG — base64 as a path segment (exposes data in server logs)
https://bluehive.com/order/track/eyJvcmRl...
Correct format
# ✅ CORRECT — base64-encoded JSON after a hash fragment
https://bluehive.com/order/track/#eyJvcmRlckFjY2Vzc0NvZGUiOiJXMllRTCIsIm9yZGVyTnVtYmVyIjoiMDExNDI1LTEtMTEwOTkiLCJkb2IiOiIxOTk0LTA4LTA2IiwibGFzdE5hbWUiOiJFeGFtcGxlIn0=

JSON Payload

The JSON object contains four fields used to look up and verify the order:

Order tracking payload
{
  "orderAccessCode": "W2YQL",
  "orderNumber": "011425-1-11099",
  "dob": "1994-08-06",
  "lastName": "Example"
}
FieldTypeRequiredDescription
orderAccessCodestringYesThe unique access code for the order (e.g., W2YQL). Found on the fax, email, or order confirmation sent to the provider.
orderNumberstringYesThe human-readable order number (e.g., 011425-1-11099).
dobstringYesPatient date of birth in YYYY-MM-DD format.
lastNamestringYesPatient last name. Used together with date of birth to verify the requester has access to the order.

Generating a Tracking URL

Follow these steps to build an order tracking URL:

1

Build the JSON payload

Create a JSON object with the four required fields: orderAccessCode, orderNumber, dob, and lastName.

2

Stringify and base64-encode

Convert the JSON object to a string, then encode it with standard base64. In browsers use btoa(), in Node.js use Buffer.from().toString('base64').

3

Append to the base URL

Append the base64 string after a # hash character following /order/track/. The hash fragment is never sent to the server, keeping patient data client-side.

// Build an order tracking URL with base64-encoded parameters
const params = {
  orderAccessCode: 'W2YQL',
  orderNumber: '011425-1-11099',
  dob: '1994-08-06',
  lastName: 'Example',
};

const json = JSON.stringify(params);
const base64 = btoa(json);
const url = `https://bluehive.com/order/track/#${base64}`;

console.log(url);
// https://bluehive.com/order/track/#eyJvcmRlckFjY2Vzc0NvZGUiOiJXMllRTCIsIm9yZGVyTnVtYmVyIjoiMDExNDI1LTEtMTEwOTkiLCJkb2IiOiIxOTk0LTA4LTA2IiwibGFzdE5hbWUiOiJFeGFtcGxlIn0=

Decoding a Tracking URL

To extract order parameters from an existing tracking URL, reverse the process — read the hash fragment (everything after #) and base64-decode it. In a browser, use window.location.hash:

// Decode an order tracking URL
const url = 'https://bluehive.com/order/track/#eyJvcmRlckFjY2Vzc0NvZGUiOiJXMllRTCIsIm9yZGVyTnVtYmVyIjoiMDExNDI1LTEtMTEwOTkiLCJkb2IiOiIxOTk0LTA4LTA2IiwibGFzdE5hbWUiOiJFeGFtcGxlIn0=';

// In a browser, use window.location.hash
const base64 = window.location.hash.slice(1); // remove the leading #
const json = atob(base64);
const params = JSON.parse(json);

console.log(params);
// {
//   orderAccessCode: 'W2YQL',
//   orderNumber: '011425-1-11099',
//   dob: '1994-08-06',
//   lastName: 'Example'
// }

Server-Side Integration

When building order tracking URLs server-side (e.g., for email notifications or API responses), use Buffer in Node.js instead of btoa() for reliable encoding of UTF-8 characters:

Node.js — generate tracking URL after order creation
import BlueHive from '@bluehive/sdk';

const client = new BlueHive({
  apiKey: process.env.BLUEHIVE_API_KEY,
});

function buildTrackingUrl(order: {
  orderAccessCode: string;
  orderNumber: string;
  dob: string;
  lastName: string;
}): string {
  const json = JSON.stringify({
    orderAccessCode: order.orderAccessCode,
    orderNumber: order.orderNumber,
    dob: order.dob,
    lastName: order.lastName,
  });

  const base64 = Buffer.from(json).toString('base64');
  return `https://bluehive.com/order/track/#${base64}`;
}

// After creating an order, generate a tracking link
const order = await client.orders.create({ /* ... */ });
const trackingUrl = buildTrackingUrl({
  orderAccessCode: order.orderAccessCode,
  orderNumber: order.orderNumber,
  dob: '1994-08-06',
  lastName: 'Example',
});

// Send this URL in an email, SMS, or display it in your app
console.log('Tracking URL:', trackingUrl);

Manual Access via SPA

If you do not have a pre-built tracking link, you can access order details manually through the BlueHive SPA:

  1. Navigate to https://bluehive.com/spa
  2. Enter the order access code from the fax or email you received
  3. Enter the patient's last name and date of birth
  4. Click "Continue" to load the order

Tip: Bookmark https://bluehive.com/spa for quick access. The SPA works on any device and does not require a BlueHive account.

Security Considerations

Hash fragment keeps data off the server

The # hash fragment is never included in HTTP requests. This means the base64 payload — containing the patient name, DOB, and order codes — is never sent to the web server, never logged by reverse proxies, and never appears in referrer headers when navigating away.

Base64 is encoding, not encryption

The base64 payload can be decoded by anyone with the URL. Do not rely on the encoding for access control — it exists to bundle parameters into a clean URL, not to protect them.

Verification still required

The SPA verifies the combination of orderAccessCode, orderNumber, lastName, and dob against the BlueHive API before displaying order data. An incorrect combination will not load any order information.

Treat tracking links like passwords

Share tracking URLs only with authorized parties (the ordering employer, the provider, or the patient). Anyone with a valid link can view the associated order.

Links do not expire

Tracking URLs remain valid as long as the order exists. If you need to revoke access, contact BlueHive support to regenerate the order access code.

Chat with Bea