Agency API v1
Base URL: /api/v1. All authenticated calls use a bearer token issued from the
API keys page. Errors are returned as RFC 7807
application/problem+json with a machine-readable code member.
Authentication
Authorization: Bearer ned_xxxxxxxxxxxx
Discovery (no auth)
GET /api/v1/meta— capabilities, scopes, formats, rate-limit policy.GET /api/v1/public/agencies?q=— directory of verified agencies.
Endpoints
| Method | Path | Scope |
|---|---|---|
| GET | /api/v1/agency/me | — |
| GET | /api/v1/agency/hospitals | read:granted-hospitals |
| GET | /api/v1/agency/hospitals/{id}/current?format= | read:scores |
| GET | /api/v1/agency/hospitals/{id}/history?from=&to= | read:scores |
| GET | /api/v1/agency/hospitals/{id}/operational-flags | read:context |
| POST | /api/v1/agency/hospitals/{id}/scores | write:scores |
| POST | /api/v1/agency/hospitals/{id}/context | write:context |
| GET / POST / DELETE | /api/v1/agency/webhooks | write:webhook |
Supported formats
CsvLineEMResourceJsonFhirObservationHavBedXmlJsonV1
Idempotent writes
Send an Idempotency-Key header on POSTs to make retries safe; the stored response
is replayed verbatim for 24 hours.
Webhook signatures
Pushed payloads carry X-Nedocs-Signature: t=<ts>,v1=<hex>, an HMAC-SHA256 of
<ts>.<body> keyed with your webhook signing secret. Reject deliveries whose
timestamp is too old, and recompute the HMAC to verify authenticity.
Rate limits
600 requests per 10 minutes per key. Watch X-RateLimit-Remaining and
Retry-After on 429.