Developer Docs

API Reference

HealthXfer provides a simple REST API for submitting, tracking, and managing medical record requests between facilities.

Authentication

All requests are scoped to a tenant subdomain. Each hospital gets its own subdomain:

https://{slug}.healthxfer.com

Public API (request form)

Use x-org-key and x-tenant-slug headers. Org keys are issued by the fulfilling facility's IT admin.

Admin API

JWT bearer token from POST /api/auth/login. Pass as Authorization: Bearer <token>.

Submit a Record Request

POST/api/requests

Submit a patient record request to a facility. MRN and DOB are encrypted in the PHI vault and never stored in the database.

Headers

x-org-key: org_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x-tenant-slug: your-hospital
Content-Type: application/json

Request body

{
  "patientId":          "MRN-12345",       // required — patient MRN
  "patientDob":         "1985-03-15",      // required — YYYY-MM-DD
  "studyType":          "ct",              // required — see Study Types
  "dateRange":          "2024-01-01 to 2024-12-31", // required
  "departmentId":       "uuid",            // optional — from /api/departments
  "contactEmail":       "records@org.com", // optional — for notifications
  "deliveryPreference": "secure_portal",   // optional
  "deliveryDetails":    "portal.org.com"   // optional
}

Response 201 Created

{
  "id":      "b7fc4d3b-3519-458b-906c-8c2985ab8cad",
  "status":  "pending",
  "message": "Request received. You'll be notified when it's processed."
}

Check Request Status

GET/api/request-status

Public endpoint. No auth required — just the request ID and org key.

Query params

?requestId=b7fc4d3b-3519-458b-906c-8c2985ab8cad
&orgKey=org_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Response

{
  "id":          "b7fc4d3b-...",
  "status":      "pending | fulfilled | rejected | failed",
  "studyType":   "ct",
  "updatedAt":   "2026-04-16T15:42:00Z",
  "fulfilledAt": "2026-04-16T16:01:22Z"  // present when status = fulfilled
}

List Departments

GET/api/departments/for-tenant

Returns the departments accepting requests for a given tenant. Use this to populate the department dropdown.

Query params

?forTenantSlug=your-hospital

Response

[
  {
    "id":       "e0168662-e2c3-4d58-8fe4-db883bb33e94",
    "name":     "Radiology",
    "slug":     "radiology",
    "workflow": "automated"
  },
  {
    "id":       "a1b2c3d4-...",
    "name":     "HIM",
    "slug":     "him",
    "workflow": "manual"
  }
]

Webhooks

Configure a webhook URL in Admin → Settings. HealthXfer sends a POST to your endpoint whenever a request status changes.

Payload

{
  "requestId":    "b7fc4d3b-3519-458b-906c-8c2985ab8cad",
  "status":       "fulfilled",
  "transactionId":"tx_abc123def456",
  "fulfilledAt":  "2026-04-16T16:01:22Z",
  "failureReason": null
}

Respond with any 2xx to acknowledge. HealthXfer fires-and-forgets (no retries in v1 — coming soon).

Study Types

Use these values in the studyType field. Case-insensitive.

Value	Description
ct	CT Scan
mri	MRI
xray	X-ray / Radiograph
us	Ultrasound
echo	Echocardiogram
mammo	Mammography
pet	PET Scan
pathology	Pathology / Biopsy report
lab	Lab results
other	Other / unspecified

Errors

All errors return standard HTTP status codes with a JSON body.

{ "error": "Invalid org key" }

Status	Meaning
400	Bad request — missing or invalid field
401	Unauthorized — invalid org key or JWT
404	Not found — tenant, department, or request not found
429	Rate limit exceeded — max requests per hour per org
500	Internal server error — retry with exponential backoff

Ready to try it?

The demo tenant is live with test credentials.

Open demo form →