Skip to content

QUBS Integrations API (v1)

Partner-facing API providing read access to selected QUBS configuration and scheduling data, plus reporting submission endpoints for tele reporting workflows.

Authentication is via a bearer JWT in the Authorization header. Authorization is domain-scoped; all requests include a {domain} path parameter. Tokens are issued via the OAuth 2.0 client credentials flow (see Authentication below).

Token lifetimes:

  • Authentication flow session duration: 3 minutes.
  • Access token expiration: 60 minutes.
  • ID token expiration: 60 minutes.
  • Refresh token expiration: 5 days.

Refresh tokens (when issued) can be exchanged for new access tokens until they expire; after expiration, request a new token via the client credentials flow.

Scopes/audience: no additional scopes are required for current integrations; authorization is domain-scoped via claims. Audience is managed by QUBS; use the client credentials provisioned for your integration.

Sandbox: no public sandbox environment is currently available.

Errors are returned as RFC7807 Problem Details (application/problem+json) and include a requestId plus the X-Correlation-Id response header.

Data handling: responses may include PHI (patient name/date of birth). Treat all such data as sensitive, apply least-privilege access, and avoid logging or storing longer than required.

Date/time conventions: date values use ISO 8601 yyyy-MM-dd. time values use HH:mm:ss in the scheduled site's local timezone (see SiteSettings.timeZone). date-time values are returned in UTC. Numeric values are JSON numbers (integers/decimals), not strings.

Pagination: cursor endpoints return page objects with items and nextToken, while offset endpoints return arrays. For cursor paging, stop when nextToken is empty/omitted; for offset paging, stop when the response count is less than take. Ordering is not guaranteed and should not be assumed to be chronological.

Retry guidance: for 429 responses, honor the Retry-After header and use exponential backoff with jitter. GET requests are safe to retry. Reporting POST endpoints support the Idempotency-Key header; use a stable ASCII token (recommend a UUID) up to 128 characters and reuse the same key with the same payload to receive the original response. For timeouts or transient transport errors, retry the POST with the same key and exponential backoff; reuse with a different payload returns 409 Conflict. Keys are retained for 24 hours (comments/reports) or 15 minutes (report attachment uploads). Without the header, retries can create duplicates.

Rate limits: no fixed quotas or standard rate-limit headers are guaranteed. Use 429 responses and Retry-After when present.

Getting started

Base URL

  • Production: https://partners.qubs.io

Authentication

  1. Request an access token using the OAuth 2.0 client credentials flow.
  2. Send it in the Authorization header as Bearer <token>.

Token endpoint: https://authenticate.qubs.io/oauth2/token

Token request examples:

curl -X POST "https://authenticate.qubs.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "client_id=<client_id>" \
  --data-urlencode "client_secret=<client_secret>"
Unirest.setTimeouts(0, 0);
HttpResponse<String> response = Unirest.post("https://authenticate.qubs.io/oauth2/token")
  .header("Content-Type", "application/x-www-form-urlencoded")
  .field("grant_type", "client_credentials")
  .field("client_id", "<client_id>")
  .field("client_secret", "<client_secret>")
  .asString();
using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Post, "https://authenticate.qubs.io/oauth2/token");
request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
    ["grant_type"] = "client_credentials",
    ["client_id"] = "<client_id>",
    ["client_secret"] = "<client_secret>"
});
using var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
var tokenPayload = await response.Content.ReadAsStringAsync();

Use the access_token value from the response as your bearer token.

If a refresh_token is issued, you can exchange it for new access tokens until it expires (5 days). When a refresh token is expired or not provided, request a new token via client credentials.

Example requests

curl -X GET "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/pending?pageSize=1" \
  -H "Authorization: Bearer <token>"
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"reportText":"Preliminary report text","reportStatus":"preliminary","reportedAtUtc":"2025-01-10T03:04:05Z"}'

Reporting workflow (example)

  1. List pending reporting appointments.
curl -X GET "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/pending?pageSize=1" \
  -H "Authorization: Bearer <token>"

Example response:

{
  "items": [
    {
      "domain": "acme",
      "appointmentId": "A123456",
      "status": "PENDING REPORTING",
      "scheduledSite": "Central Clinic",
      "appointmentDate": "2025-01-12",
      "startTime": "13:45:00",
      "patientName": "Jane Doe"
    }
  ],
  "nextToken": "DDB_NEXT_TOKEN"
}
  1. (Optional) Create report attachment upload URLs.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report/attachments" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"items":[{"fileName":"report.pdf","contentType":"application/pdf"}]}'

Example response:

{
  "items": [
    {
      "guid": "989dd0c7-13bb-4bba-b7a0-53a28bdf5155",
      "fileName": "report.pdf",
      "category": "report",
      "uploadUrl": "https://example.com/upload/report.pdf",
      "uploadUrlExpiresAtUtc": "2025-01-10T03:19:05Z"
    }
  ]
}
  1. Upload the report artifact bytes with a PUT to uploadUrl.
curl -X PUT "https://example.com/upload/report.pdf" \
  -H "Content-Type: application/pdf" \
  --data-binary "@report.pdf"
  1. Submit the report content. Submissions overwrite any existing report for the appointment; you can submit a preliminary report and later submit a final report.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/report" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"reportText":"No acute abnormality detected.","reportStatus":"preliminary","reportedAtUtc":"2025-01-10T03:04:05Z"}'

Example response:

{
  "reportGuid": "4b7f0a91-b4f5-4f2a-9a21-23456789abcd",
  "reportStatus": "preliminary",
  "reportedAtUtc": "2025-01-10T03:04:05Z"
}
  1. (Optional) Create an appointment comment/alert.
curl -X POST "https://partners.qubs.io/integrations/v1/acme/reporting/appointments/A123456/comments" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: <idempotency-key>" \
  -d '{"commentText":"Report sent to referrer.","commentType":"AC","isAlert":false}'
Download OpenAPI description
openapi.json
openapi.yaml
Languages
Servers
Mock server
https://partnerdocs.qubs.io/_mock/openapi
Production API
https://partners.qubs.io
Relative to the current host
https://partnerdocs.qubs.io

Site Settings

Partner-facing endpoints for listing sites and retrieving site configuration within a domain.

Operations

List sites in the specified partner domain

Request

Returns the active sites a partner is allowed to access within a domain after authorization succeeds.

Response body is a JSON array. Fields below apply to each array item.

Security
Bearer
Path
domainstringrequired

Partner domain identifier. Your bearer token is scoped to one or more domains and requests outside that scope are rejected.

Example: acme
Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: 4b7f0a91b4f54f2a
curl -i -X GET \
  https://partnerdocs.qubs.io/_mock/openapi/integrations/v1/acme/sites \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'X-Correlation-Id: 4b7f0a91b4f54f2a'

Responses

Array of active sites for the requested domain.

Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: "4b7f0a91b4f54f2a"
Bodyapplication/jsonArray [
domainstringrequired

Domain this site belongs to.

Example: "Example domain"
siteNamestringrequired

Site name.

Example: "Example Site"
]
Response
application/json
[
  {
    "domain": "acme",
    "siteName": "Central Clinic"
  },
  {
    "domain": "acme",
    "siteName": "North Clinic"
  }
]

Get site settings summary by domain and site name

Request

Returns the site settings summary view for a specific site when the caller is authorized for the requested domain and site.

Security
Bearer
Path
domainstringrequired

Partner domain identifier. Your bearer token is scoped to one or more domains and requests outside that scope are rejected.

Example: acme
siteNamestringrequired

Site name within the specified domain.

Example: Example Site
Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: 4b7f0a91b4f54f2a
curl -i -X GET \
  'https://partnerdocs.qubs.io/_mock/openapi/integrations/v1/acme/sites/Example Site' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'X-Correlation-Id: 4b7f0a91b4f54f2a'

Responses

Site settings summary view for the requested domain and site.

Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: "4b7f0a91b4f54f2a"
Bodyapplication/json
domainstringrequired

Domain this site belongs to.

Example: "Example domain"
siteNamestringrequired

Site name.

Example: "Example Site"
companyNamestringrequired

Company name associated with the site.

Example: "Example Name"
timeZonestring

IANA or platform timezone identifier used by the site.

Example: "Example timeZone"
Response
application/json
{
  "domain": "acme",
  "siteName": "Central Clinic",
  "companyName": "ACME Radiology",
  "timeZone": "Australia/Sydney"
}

Get operational site settings by domain and site name

Request

Returns the operational site settings view for a specific site when the caller is authorized for the requested domain and site.

Security
Bearer
Path
domainstringrequired

Partner domain identifier. Your bearer token is scoped to one or more domains and requests outside that scope are rejected.

Example: acme
siteNamestringrequired

Site name within the specified domain.

Example: Example Site
Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: 4b7f0a91b4f54f2a
curl -i -X GET \
  'https://partnerdocs.qubs.io/_mock/openapi/integrations/v1/acme/sites/Example Site/operational' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'X-Correlation-Id: 4b7f0a91b4f54f2a'

Responses

Operational site settings view for the requested domain and site.

Headers
X-Correlation-Idstring

Request correlation identifier. Echoes the incoming X-Correlation-Id header when provided.

Example: "4b7f0a91b4f54f2a"
Bodyapplication/json
domainstringrequired

Domain this site belongs to.

Example: "Example domain"
siteNamestringrequired

Site name.

Example: "Example Site"
companyNamestringrequired

Company name associated with the site.

Example: "Example Name"
timeZonestring

IANA or platform timezone identifier used by the site.

Example: "Example timeZone"
defaultBillingstring

Default billing type used when booking or invoicing.

Example: "Example defaultBilling"
defaultPrioritystring

Default appointment priority.

Example: "Example defaultPriority"
appendStudyDescriptionboolean

Whether to append the study description in downstream outputs where applicable.

Example: true
patientDobRequiredboolean

Whether date of birth is required for patients at this site.

Example: true
patientSexRequiredboolean

Whether patient sex is required for patients at this site.

Example: true
lastModifiedDateTimestring(date-time)

When the site settings were last updated.

Example: "2020-01-01T00:00:00Z"
lastModifiedBystring

Who last updated the site settings.

Example: "Example lastModifiedBy"
Response
application/json
{
  "domain": "acme",
  "siteName": "Central Clinic",
  "companyName": "ACME Radiology",
  "timeZone": "Australia/Sydney",
  "defaultBilling": "bulk",
  "defaultPriority": "Routine",
  "appendStudyDescription": true,
  "patientDobRequired": true,
  "patientSexRequired": true,
  "lastModifiedDateTime": "2025-01-10T02:03:04Z",
  "lastModifiedBy": "jsmith"
}

Exam Codes

Partner-facing endpoints for retrieving exam code configuration for a site within a domain.

Operations

Staff Skills

Partner-facing endpoints for retrieving the staff skill grid and related metadata for a site within a domain.

Operations

Appointments

Partner-facing endpoints for retrieving appointments within a domain.

Operations

Attachments

Partner-facing endpoints for retrieving appointment attachments and generating short-lived presigned URLs.

Operations

Comments

Partner-facing endpoints for retrieving appointment and patient comments/alerts associated with an appointment.

Operations

Patients

Partner-facing endpoints for retrieving patients within a domain.

Operations

Reporting

Partner-facing endpoints for retrieving appointments that are pending reporting and submitting tele reporting artifacts. Typical workflow: list pending reporting appointments, create upload URLs for report artifacts (optional), upload with PUT, then submit report content.

Operations