Introduction to the xCures® API
The xCures API provides secure, structured access to patient and program data on the xCures platform. This page covers how to connect, browse the available endpoints, and test against demo patients. It also covers patient-matching best practices for high-quality data integration.
Every API interaction depends on a trusted connection, so this guide begins with API credential management. Credentials are the prerequisite for every other feature.
Important URLs
| Name | URL | Description |
|---|---|---|
| OAuth URL | https://partner.xcures.com/oauth/token | Use this URL to obtain your bearer token during the authentication process. |
| API Base URL | https://partner.xcures.com | This is the base URL that you will use for all API requests once you have authenticated. |
API Credential Management
1Create New API Keys
Once you have received your xCures patient registry portal login information from your Customer Success Manager, head over to the dropdown in the top-right of your screen where your initials are, click the down arrow, and select Administration.
From here, click the API Keys tab and then click + Add:
First, set a name for your set of credentials in the API Key Name field:
Next, select which Projects these API credentials will have access to:
Then, select the permissions assigned to this set of credentials. Once you've assigned the appropriate permissions, click Save:
You will now be presented with your client_id and client_secret:
2Deactivate API Credentials
If the need to deactivate active API credentials arises, you can easily deactivate by toggling the ACTIVE button:
You'll then be presented with a confirmation modal:
3Rotate API Credentials
Rotating API credentials is a standard security practice. It reduces the risk of unauthorized access by limiting how long any single key or token remains valid. Generating new credentials on a schedule and retiring old ones limits the impact of accidental exposure, leaked secrets, or compromised environments. Planned, well-documented rotation procedures keep the service continuous through every change.
To rotate existing API credentials, click the name of the credentials:
At the bottom of the page, you will now see the option to Rotate your key:
Once your credentials have been rotated, you will be presented with the new credentials:
Authentication
The xCures API requires a Bearer Token in the Authorization header for authentication. Most xCures endpoints also require a ProjectId header to set the context of the request. The ProjectId must match a project the API client has permission to access.
| Variable | Description |
|---|---|
client_id | Your unique Client ID. |
client_secret | The private key used to generate the Bearer Token. This value is extremely sensitive; do not share it outside your organization. |
ProjectId | A unique identifier (UUID) used to specify which project you are targeting with a given request. |
Where to Find Your Project IDs
To find the ProjectId for each of your projects, click the Projects tab under the Administration menu on the left-hand sidebar. To copy the ProjectId, click the copy button.
The majority of the xCures API endpoints will require a ProjectId value to be submitted in the header of the request.
Obtaining a Bearer Token
To get a token, exchange your client_id and client_secret against the xCures OAuth endpoint using the client credentials grant.
Example cURL command
curl --request POST \
--url https://partner.xcures.com/oauth/token \
--header 'content-type: application/json' \
--data '{
"client_id": "{your_client_id}",
"client_secret": "{your_client_secret}",
"grant_type": "client_credentials"
}'Bearer token response
{
"access_token": "{your_temporary_access_token}",
"token_type": "Bearer"
}Using the Bearer Token with the xCures API
Include the bearer token in the Authorization header of every request to the xCures API.
Example of an authorized request
curl --request GET \
--url https://partner.xcures.com/api/v1/patient-registry/subject \
--header 'ProjectId: {your_project_id}' \
--header 'authorization: Bearer {your_temporary_access_token}'Postman Collection
The xCures Postman collection lets you call the API directly without writing any code. Download it below, add your client_id, client_secret, and ProjectId to the collection's Variables tab, and run the included Get Bearer Token request — authentication is handled automatically for every call after that.
Every xCures API endpoint as a pre-configured request. Add your credentials to the collection's Variables tab once and every request is authenticated automatically.
Available Endpoints
With authentication covered, the next section turns to the xCures API endpoints. The available endpoints and demo patient examples below support exploration of real-world data flows and safe testing of API behavior.
| Endpoint | Description |
|---|---|
| Application | Account creation (e.g., identity proofing, eConsent) required for a patient to progress on the xCures Platform. This is a required step in the Individual Access Services (IAS) workflow use case. |
| Subject | An individual patient created on the xCures Platform. Use this endpoint for creating, reading, or deleting a patient. Required: ID (UUID you generate), First Name, Last Name, DOB. Providing more demographic information increases the likelihood that additional documents can be found. xCures recommends also sending: Sex Assigned at Birth, Address, City, State, and Postal ZIP Code when available. |
| Checklist | AI-powered feature leveraging xCures' targeted data extraction to populate validated, customizable question/answer-style items. Every item returns a justification, supporting documents, and structured data to guide decisions in real time. |
| Clinical Concepts | A proprietary xCures higher-level, flattened, opinionated view of medical record information, structured around FHIR guidelines. Available: Allergy, Biomarker, Condition, Coverage, Demographic, Encounter, Family History, Imaging, Lab, Medication, Procedure, Social History, Survey, Symptoms, Vital. |
| Document | Patient records retrieved by the xCures platform and/or loaded by platform users. Examples: Office Visit Summary, Continuity of Care Document (CCD), Hospital Encounter Summary. |
| FHIR | Fast Healthcare Interoperability Resource: an international data model specification by HL7 International. Available: Allergy Intolerances, Basics, Care Plans, Coverages, Conditions, Diagnostic Reports, Encounters, Medication Statements, Patients, Procedures, Observations, Specimens. |
| Query | A specified, approved request for patient records across the network (e.g., via Carequality/TEFCA) with an associated status (e.g., "completed"). |
| Summary | The AI-generated summary of a patient's overall records and condition(s). |
| Reciprocity Templates | Reciprocity or "Responder" workflows for sharing clinical documentation with other organizations/providers via health data exchange networks (e.g., Carequality, TEFCA). |
De-Identified Demo Patients for Testing
The xCures API ships with a small set of test patients for hands-on exploration. These are fully de-identified patients and cover a broad spectrum of use cases and conditions.
| Subject Name | DOB | Sex Assigned at Birth | Condition |
|---|---|---|---|
| Marissa Jones | 06/29/1971 | Female | Metastatic Breast Cancer |
| Justin Williams | 05/28/1968 | Male | Systemic Mastocytosis |
| Helen Milliken | 11/16/2000 | Female | Autoimmune Encephalitis |
Best Practices for Patient Matching
Accurate and complete patient creation lays the groundwork for reliable data matching across the network. Using CSV uploads or API-based creation supports scalable and consistent record management while reducing duplication and errors.
Patient matching improves as you provide more demographic detail. Core identifiers such as full name, birth date, gender, and complete address information create the strongest matching signal. Prior addresses, alternate names, and external identifiers offer additional anchors that help unify records from past encounters or different health systems.
Required Demographic and Identifier Data
When creating a new Subject (patient) in the xCures system, use the Subject endpoint. Supplying as many of these fields as possible strengthens match confidence and improves the ability to locate a patient's longitudinal record across participating EHRs and national exchange networks.
| Data Element | Required / Optional |
|---|---|
| ID (bring your own UUID) | Required |
| First Name | Required |
| Last Name | Required |
| Date of Birth (DOB) | Optional — Strongly Recommended |
| Date of Death | Optional — Strongly Recommended |
| Sex Assigned at Birth | Optional — Strongly Recommended |
| Address Line 1 | Optional — Strongly Recommended |
| Address Line 2 | Optional — Recommended When Available |
| City | Optional — Strongly Recommended |
| State | Optional — Strongly Recommended |
| Postal (ZIP) Code | Optional — Strongly Recommended |
| Additional Names | Optional — Strongly Recommended |
| Additional Addresses | Optional — Recommended When Available |
| Optional | |
| Phone Number | Optional |
API Error Handling
xCures uses standard HTTP response codes to indicate the success or failure of an API request. Codes in the 2xx range indicate success. Codes in the 4xx range indicate an error that failed given the information provided.
The request succeeded and the server returned the requested resource.
The request is not acceptable, likely due to a missing required parameter.
Invalid API key or ProjectId. Verify your Bearer token and ProjectId are correct.
You're authenticated, but you don't have permission to access this resource. Check with your Customer Success Manager.
Too many requests are hitting the API in a short duration.
Something broke on the server side. If the issue persists, please reach out to xCures Support.
Next Steps
API Reference
With credentials in place and the endpoints understood, the API Reference is the starting point for development.