Skip to content

QUBS Integrations API (v1)

Partner-facing API providing read access to selected QUBS configuration and scheduling data, plus reporting submission endpoints for tele reporting workflows.

Authentication is via a bearer JWT in the Authorization header. Authorization is domain-scoped; all requests include a {domain} path parameter. Tokens are issued via the OAuth 2.0 client credentials flow (see Authentication below).

Token lifetimes:

  • Authentication flow session duration: 3 minutes.
  • Access token expiration: 60 minutes.
  • ID token expiration: 60 minutes.
  • Refresh token expiration: 5 days.

Refresh tokens (when issued) can be exchanged for new access tokens until they expire; after expiration, request a new token via the client credentials flow.

Scopes/audience: no additional scopes are required for current integrations; authorization is domain-scoped via claims. Audience is managed by QUBS; use the client credentials provisioned for your integration.

Sandbox: no public sandbox environment is currently available.

Errors are returned as RFC7807 Problem Details (application/problem+json) and include a requestId plus the X-Correlation-Id response header.

Data handling: responses may include PHI (patient name/date of birth). Treat all such data as sensitive, apply least-privilege access, and avoid logging or storing longer than required.

Date/time conventions: date values use ISO 8601 yyyy-MM-dd. time values use HH:mm:ss in the scheduled site's local timezone (see SiteSettings.timeZone). date-time values are returned in UTC. Numeric values are JSON numbers (integers/decimals), not strings.

Pagination: cursor endpoints return page objects with items and nextToken, while offset endpoints return arrays. For cursor paging, stop when nextToken is empty/omitted; for offset paging, stop when the response count is less than take. Ordering is not guaranteed and should not be assumed to be chronological.

Retry guidance: for 429 responses, honor the Retry-After header and use exponential backoff with jitter. GET requests are safe to retry. Reporting POST endpoints support the Idempotency-Key header; use a stable ASCII token (recommend a UUID) up to 128 characters and reuse the same key with the same payload to receive the original response. For timeouts or transient transport errors, retry the POST with the same key and exponential backoff; reuse with a different payload returns 409 Conflict. Keys are retained for 24 hours (comments/reports) or 15 minutes (report attachment uploads). Without the header, retries can create duplicates.

Rate limits: no fixed quotas or standard rate-limit headers are guaranteed. Use 429 responses and Retry-After when present.

Getting started

Base URL

  • Production: https://partners.qubs.io

Authentication

  1. Request an access token using the OAuth 2.0 client credentials flow.
  2. Send it in the Authorization header as Bearer <token>.

Token endpoint: https://authenticate.qubs.io/oauth2/token

Token request examples:

curl -X POST "https://authenticate.qubs.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "client_id=<client_id>" \
  --data-urlencode "client_secret=<client_secret>"
Unirest.setTimeouts(0, 0);
HttpResponse<String> response = Unirest.post("https://authenticate.qubs.io/oauth2/token")
  .header("Content-Type", "application/x-www-form-urlencoded")
  .field("grant_type", "client_credentials")
  .field("client_id", "<client_id>")
  .field("client_secret", "<client_secret>")
  .asString();
using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Post, "https://authenticate.qubs.io/oauth2/token");
request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
    ["grant_type"] = "client_credentials",
    ["client_id"] = "<client_id>",
    ["client_secret"] = "<client_secret>"
});
using var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
var tokenPayload = await response.Content.ReadAsStringAsync();

Use the access_token value from the response as your bearer token.

If a refresh_token is issued, you can exchange it for new access tokens until it expires (5 days). When a refresh token is expired or not provided, request a new token via client credentials.

Example requests

curl -X GET "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/pending?pageSize=1" \
  -H "Authorization: Bearer <token>"
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"reportText":"Preliminary report text","reportStatus":"preliminary","reportedAtUtc":"2025-01-10T03:04:05Z"}'

Reporting workflow (example)

  1. List pending reporting appointments.
curl -X GET "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/pending?pageSize=1" \
  -H "Authorization: Bearer <token>"

Example response:

{
  "items": [
    {
      "domain": "acme",
      "appointmentId": "A123456",
      "status": "PENDING REPORTING",
      "scheduledSite": "Central Clinic",
      "appointmentDate": "2025-01-12",
      "startTime": "13:45:00",
      "patientName": "Jane Doe"
    }
  ],
  "nextToken": "DDB_NEXT_TOKEN"
}
  1. (Optional) Create report attachment upload URLs.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report/attachments" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"items":[{"fileName":"report.pdf","contentType":"application/pdf"}]}'

Example response:

{
  "items": [
    {
      "guid": "989dd0c7-13bb-4bba-b7a0-53a28bdf5155",
      "fileName": "report.pdf",
      "category": "report",
      "uploadUrl": "https://example.com/upload/report.pdf",
      "uploadUrlExpiresAtUtc": "2025-01-10T03:19:05Z"
    }
  ]
}
  1. Upload the report artifact bytes with a PUT to uploadUrl.
curl -X PUT "https://example.com/upload/report.pdf" \
  -H "Content-Type: application/pdf" \
  --data-binary "@report.pdf"
  1. Submit the report content. Submissions overwrite any existing report for the appointment; you can submit a preliminary report and later submit a final report.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"reportText":"No acute abnormality detected.","reportStatus":"preliminary","reportedAtUtc":"2025-01-10T03:04:05Z"}'

Example response:

{
  "reportGuid": "4b7f0a91-b4f5-4f2a-9a21-23456789abcd",
  "reportStatus": "preliminary",
  "reportedAtUtc": "2025-01-10T03:04:05Z"
}
  1. (Optional) Create an appointment comment/alert.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/comments" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"commentText":"Report sent to referrer.","commentType":"AC","isAlert":false}'
Download OpenAPI description
openapi.json
openapi.yaml
Languages
Servers
Mock server
https://partnerdocs.qubs.io/_mock/openapi
Production API
https://partners.qubs.io
Relative to the current host
https://partnerdocs.qubs.io

Site Settings

Partner-facing endpoints for listing sites and retrieving site configuration within a domain.

Operations

Exam Codes

Partner-facing endpoints for retrieving exam code configuration for a site within a domain.

Operations

Staff Skills

Partner-facing endpoints for retrieving the staff skill grid and related metadata for a site within a domain.

Operations

Appointments

Partner-facing endpoints for retrieving appointments within a domain.

Operations

Attachments

Partner-facing endpoints for retrieving appointment attachments and generating short-lived presigned URLs.

Operations

Comments

Partner-facing endpoints for retrieving appointment and patient comments/alerts associated with an appointment.

Operations

List comments for an appointment

Request

Returns all appointment comments/alerts plus patient comments/alerts for the appointment's patient when the caller is authorized.

Response body is a JSON array. Fields below apply to each array item.

Security
Bearer
Path
domainstringrequired

Partner domain identifier. Your bearer token is scoped to one or more domains and requests outside that scope are rejected.

Example: acme
appointmentIdstringrequired

Appointment identifier within the specified domain.

Example: A123456
Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: 4b7f0a91b4f54f2a
curl -i -X GET \
  https://partnerdocs.qubs.io/_mock/openapi/integrations/v1/acme/appointments/A123456/comments \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'X-Correlation-Id: 4b7f0a91b4f54f2a'

Responses

Array of appointment and patient comments/alerts for the requested appointment.

Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: "4b7f0a91b4f54f2a"
Bodyapplication/jsonArray [
guidstringrequired

Comment GUID.

Example: "123"
commentTypestringrequired

Comment type. One of: AC (Appointment Comment), AA (Appointment Alert), PC (Patient Comment), PA (Patient Alert).

Enum"AC""AA""PC""PA"
Example: "AC"
appointmentIdstring

Appointment identifier for appointment comments; empty for patient-level comments.

Example: "123"
patientIdstring

Patient identifier associated with the comment when available.

Example: "123"
commentTextstring

Comment text.

Example: "Example commentText"
commentDateTimenull or string(date-time)

When the comment was created (UTC) when available.

Example: "2020-01-01T00:00:00Z"
isAlertboolean

Whether this comment should be treated as an alert.

Example: true
commentByobject(UserSummaryResponse)

Who created the comment when available.

lastModifiedDateTimenull or string(date-time)

When the comment was last modified (UTC).

Example: "2020-01-01T00:00:00Z"
lastModifiedByobject(UserSummaryResponse)

Who last modified the comment when available.

]
Response
application/json
[
  {
    "guid": "ed6ef45a-4e3d-41b2-8049-7aec53bb9ab1",
    "commentType": "AA",
    "appointmentId": "A123456",
    "patientId": "220000",
    "commentText": "Patient requires wheelchair access.",
    "commentDateTime": "2025-01-10T02:03:04Z",
    "isAlert": true,
    "commentBy": { … },
    "lastModifiedDateTime": "2025-01-10T02:03:04Z",
    "lastModifiedBy": { … }
  }
]

Get a single comment for an appointment

Request

Returns a single appointment comment/alert or patient comment/alert (for the appointment's patient) when the caller is authorized.

Security
Bearer
Path
domainstringrequired

Partner domain identifier. Your bearer token is scoped to one or more domains and requests outside that scope are rejected.

Example: acme
appointmentIdstringrequired

Appointment identifier within the specified domain.

Example: A123456
commentGuidstringrequired

Comment GUID for the requested appointment/patient comment.

Example: ed6ef45a-4e3d-41b2-8049-7aec53bb9ab1
Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: 4b7f0a91b4f54f2a
curl -i -X GET \
  https://partnerdocs.qubs.io/_mock/openapi/integrations/v1/acme/appointments/A123456/comments/ed6ef45a-4e3d-41b2-8049-7aec53bb9ab1 \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'X-Correlation-Id: 4b7f0a91b4f54f2a'

Responses

Comment metadata for the requested comment (appointment or patient) for the requested appointment.

Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: "4b7f0a91b4f54f2a"
Bodyapplication/json
guidstringrequired

Comment GUID.

Example: "123"
commentTypestringrequired

Comment type. One of: AC (Appointment Comment), AA (Appointment Alert), PC (Patient Comment), PA (Patient Alert).

Enum"AC""AA""PC""PA"
Example: "AC"
appointmentIdstring

Appointment identifier for appointment comments; empty for patient-level comments.

Example: "123"
patientIdstring

Patient identifier associated with the comment when available.

Example: "123"
commentTextstring

Comment text.

Example: "Example commentText"
commentDateTimenull or string(date-time)

When the comment was created (UTC) when available.

Example: "2020-01-01T00:00:00Z"
isAlertboolean

Whether this comment should be treated as an alert.

Example: true
commentByobject(UserSummaryResponse)

Who created the comment when available.

lastModifiedDateTimenull or string(date-time)

When the comment was last modified (UTC).

Example: "2020-01-01T00:00:00Z"
lastModifiedByobject(UserSummaryResponse)

Who last modified the comment when available.

Response
application/json
{
  "guid": "ed6ef45a-4e3d-41b2-8049-7aec53bb9ab1",
  "commentType": "AA",
  "appointmentId": "A123456",
  "patientId": "220000",
  "commentText": "Patient requires wheelchair access.",
  "commentDateTime": "2025-01-10T02:03:04Z",
  "isAlert": true,
  "commentBy": {
    "username": "mbrown",
    "firstName": "Maya",
    "initials": "MB",
    "lastName": "Brown",
    "role": "Reception"
  },
  "lastModifiedDateTime": "2025-01-10T02:03:04Z",
  "lastModifiedBy": {
    "username": "jchen",
    "firstName": "Jesse",
    "initials": "JC",
    "lastName": "Chen",
    "role": "Scheduler"
  }
}

Patients

Partner-facing endpoints for retrieving patients within a domain.

Operations

Reporting

Partner-facing endpoints for retrieving appointments that are pending reporting and submitting tele reporting artifacts. Typical workflow: list pending reporting appointments, create upload URLs for report artifacts (optional), upload with PUT, then submit report content.

Operations