Agency API v1

Base URL: /api/v1. All authenticated calls use a bearer token issued from the API keys page. Errors are returned as RFC 7807 application/problem+json with a machine-readable code member.

Authentication

Authorization: Bearer ned_xxxxxxxxxxxx

Discovery (no auth)

  • GET /api/v1/meta — capabilities, scopes, formats, rate-limit policy.
  • GET /api/v1/public/agencies?q= — directory of verified agencies.

Endpoints

MethodPathScope
GET/api/v1/agency/me
GET/api/v1/agency/hospitalsread:granted-hospitals
GET/api/v1/agency/hospitals/{id}/current?format=read:scores
GET/api/v1/agency/hospitals/{id}/history?from=&to=read:scores
GET/api/v1/agency/hospitals/{id}/operational-flagsread:context
POST/api/v1/agency/hospitals/{id}/scoreswrite:scores
POST/api/v1/agency/hospitals/{id}/contextwrite:context
GET / POST / DELETE/api/v1/agency/webhookswrite:webhook

Supported formats

CsvLineEMResourceJsonFhirObservationHavBedXmlJsonV1

Idempotent writes

Send an Idempotency-Key header on POSTs to make retries safe; the stored response is replayed verbatim for 24 hours.

Webhook signatures

Pushed payloads carry X-Nedocs-Signature: t=<ts>,v1=<hex>, an HMAC-SHA256 of <ts>.<body> keyed with your webhook signing secret. Reject deliveries whose timestamp is too old, and recompute the HMAC to verify authenticity.

Rate limits

600 requests per 10 minutes per key. Watch X-RateLimit-Remaining and Retry-After on 429.