Credible by Qualifacts logo

Credible FHIR

Supported Product: Credible Behavioral Health Version 11

Sandbox Base URL:

Sandbox Authorization Endpoint:

Sandbox Token Endpoint:

Production Base URL:

Production Authorization Endpoint:

Production Token Endpoint:

Endpoint Directory

Terms & Conditions

Complete Terms and Conditions


No fees are charged to access the API documentation.

At this time, no additional fees will be assessed.


Credible FHIR APIs are only available to registered developers.

Production access is limited to Qualifacts customers that have licensed the Credible FHIR API functionality.

Third-party developers must execute a Business Associate Agreement (BAA) with Qualifacts, and separately with each customer.


App developers must ensure all electronic protected health information (ePHI) is handled securely and appropriately.

Developers are encouraged to review all applicable state and federal rules including, but not limited to, the related ONC 2015 Edition criteria:



Patients and their authorized representatives must request API access directly from the participating agency.


Developers must first register to gain access to the sandbox environment.

Step 1: Review the Qualifacts Terms and Conditions.

Step 2: Using the Credible FHIR API Developer Registration form, send the following information to the FHIR API coordinator at


By submitting a registration request, you agree to accept and be fully bound by the FHIR API Terms of Use.

  • Software Company Name

  • Software/Application Name

  • Software Company Website URL

  • Software Company’s Address (Street, City, ZIP, Country)

  • Developer/Contact Name

  • Contact Phone Number

  • Contact Email Address

  • OAuth Callback URL (required for Patient and Provider applications, not needed for System-to-System)

  • JWKS URL (required for System-to-System applications, used to extract JSON Web Keys)

  • Brief Description of the Application (optional)

  • Intended Audience of the Application (optional; Patients, Providers, System-to-System)

Step 3: Qualifacts registers the developer application.

Step 4: Qualifacts sends you the application’s client_id and client_secret, and a sample patient’s credentials needed for sandbox access.

Step 5: Test your API in the sandbox.

Step 6: When your API is ready, contact the FHIR API coordinator for production access.


If your app is Provider-facing, or a System-to-System (Bulk FHIR) implementation, the participating organization must also approve your app.

Technical Documentation

API Information

See our Swagger page for API details.

System Requirements

Apps using the Credible FHIR API must be able to:

  • Connect via HTTPS with TLS 1.2

  • Securely store the client_id and client_secret, or support Proof Key for Code Exchange (PKCE)

  • Process JSON response files


Credible FHIR uses OAuth 2.0 and Open ID Connect for authentication.

Tokens, including initial refresh tokens, are issued as JSON Web Tokens.

Proof Key for Code Exchange (PKCE) is available for apps that cannot securely store the client_secret:
  • PKCE Code Challenge Method: S256

  • Supported PKCE Encryption Method: ES384 or RS384

Resources & Scopes

Credible FHIR APIs are built to the FHIR® Specification R4.0.1 and US Core Implementation v3.1.1 as published by HL7® and support the following FHIR Resources.

Bulk data request APIs are built to the FHIR Bulk Data Access (Flat FHIR) 1.0.1 specification also published by HL7®.

  • AllergyIntolerance search-type, read

    • US Core AllergyIntolerance Profile USCDI v1

  • CarePlan search-type, read
    • US Core CarePlan Profile USCDI v1

  • CareTeam search-type, read

    • US Core CareTeam Profile USCDI v1

  • Condition search-type, read

    • US Core Condition Encounter Diagnosis Profile USCDI v1

    • US Core Condition Problems and Health Concerns Profile USCDI v1

  • Device search-type, read

    • US Core Implantable Device Profile USCDI v1

  • DiagnosticReport search-type, read
    • US Core DiagnosticReport Profile for Laboratory Results Reporting USCDI v1

    • US Core DiagnosticReport Profile for Report and Note Exchange USCDI v1

  • DocumentReference search-type, read

    • US Core DocumentReference Profile USCDI v1

  • Encounter search-type, read

    • US Core Encounter Profile USCDI v1

  • Goal search-type, read

    • US Core Goal Profile USCDI v1

  • Immunization search-type, read

    • US Core Immunization Profile USCDI v1

  • Location search-type, read

    • US Core Location Profile USCDI v1

  • Medication read

    • US Core Medication Profile USCDI v1

  • MedicationRequest search-type, read

    • US Core MedicationRequest Profile USCDI v1

  • Observation search-type, read

    • US Core Observation Clinical Test Result Profile USCDI v1

    • US Core Observation Imaging Result Profile USCDI v1

    • US Core Laboratory Result Observation Profile USCDI v1

    • US Core Observation Sexual Orientation Profile USCDI v1

    • US Core Observation Social History Profile USCDI v1

    • US Core Observation SurveyProfile USCDI v1
      • US Core Observation SDOH Assessment Profile USCDI v1

    • US Core Smoking Status Observation Profile USCDI v1

    • US Core Vital Signs Profile USCDI v1
      • US Core Pediatric Head Occipital-frontal Circumference Percentile Profile USCDI v1

      • US Core Blood Pressure Profile USCDI v1

      • US Core BMI Profile USCDI v1

      • US Core Body Height Profile USCDI v1

      • US Core Body Temperature Profile USCDI v1

      • US Core Body Weight Profile USCDI v1

      • US Core Head Circumference Profile USCDI v1

      • US Core Heart Rate Profile USCDI v1

      • US Core Pediatric BMI for Age Observation Profile USCDI v1

      • US Core Pediatric Weight for Height Observation Profile USCDI v1

      • US Core Pulse Oximetry Profile USCDI v1

      • US Core Respiratory Rate Profile USCDI v1

  • Organization search-type, read

    • US Core Organization Profile USCDI v1

  • Patient search-type, read

    • US Core Patient Profile USCDI v1

  • Practitioner search-type, read

    • US Core Practitioner Profile USCDI v1

  • Procedure search-type, read

    • US Core Procedure Profile USCDI v1

  • Provenance read

    • US Core Provenance Profile USCDI v1

Common Error Codes

Qualifacts makes every effort to ensure the Credible FHIR API works correctly every time. If there is an issue, the Credible FHIR API will return standard HTTP error codes.

The most common errors you could encounter are listed below.

Client Errors



Bad Request

The server cannot process the request due to an apparent client error.



The required authentication failed or was not provided.



A valid request was received, but refused by the server. Typically, this is due to the user not having the necessary permissions for the specified resource.


Not Found

The requested resource could not be found.


Request Timeout

The server timed out waiting for the request.


Too Many Requests

Too many requests have been sent in a given time period.

  • Check your API request for misspellings and other incorrect syntax.

  • Make sure the request has a valid token and matches the request - for example, the token was for a patient at ABC Org, but the request was sent to XYZ Org.

  • Compare the request with the list of supported FHIR resources and scopes.

Server Errors



Internal Server Error

A generic error message for an unexpected condition.


Bad Gateway

The gateway/proxy server received an invalid response from the upstream server.


Service Unavailable

The server cannot handle the request, typically because it is overloaded or down for maintenance.


Gateway Timeout

The gateway/proxy server did not receive a timely response from the upstream server.

  • In case of a server error, first wait a few minutes before sending another request.

  • If the issue persists, please notify the Credible FHIR API coordinator at