CommCare API Overview
- Gillian Javetski
- Rishabh Rath
- Kai Cowger
- Krinda Wernicke
This page below provides an overview of CommCare’s API functionality.
Overview
This section is for you if...
You are a programmer.
You are looking to write code that interacts directly with CommCare HQ through its APIs.
If you are not a programmer and are looking to integrate CommCare with other platforms we recommend looking at https://dimagi.atlassian.net/wiki/x/fRzKfw.
Things we take for granted...
You should have a familiarity with HTTP conventions, such as GET and POST and url parameters.
To follow the examples, you should be familiar with the standard command line tool curl. Here's the manual: https://curl.se/docs/.
Character encoding is UTF-8. Dates should be compliant https://en.wikipedia.org/wiki/ISO_8601. (In some cases we're still using RFC 3339, but we're moving towards ISO 8601.) Guids should be generated in accordance with RFC 4122.
API Authentication
The API's support a few different methods of authentication in addition to the normal session-based authentication used on the rest of CommCare HQ. This makes it easy to access these URLs programmatically.
The examples below use https://en.wikipedia.org/wiki/CURL.
Basic authentication
See https://en.wikipedia.org/wiki/Basic_access_authentication for details of basic authentication.
Example (will prompt for the password):
curl -v -u [USERNAME] '[URL]'
You can also include the password in the command as follows:
curl -v -u [USERNAME]:[PASSWORD] '[URL]'API Key authentication
Your API Keys can be found at https://www.commcarehq.org/accounts/login/?next=/account/api_keys/.
From that page you can generate new API keys and scope them to individual IP addresses. If an API key has an IP address whitelist, any request originating from a different IP address that uses that API key will be rejected.
When an API key is deleted, all requests using that key will be rejected. Unfortunately deleted keys cannot be recovered.
When creating a new API key, the actual key will only be shown once so you should note it down at that moment.
If you use this method of authentication, you do not need to provide a 2 factor OTP header (this is only relevant for API calls with 2 factor auth required.)
curl -H "Authorization: ApiKey [USERNAME]:[API_KEY]" '[URL]'Two-Factor authentication
If you have two factor authentication (2FA) set up on your account, then basic authentication is not directly supported for accessing APIs. Instead, you must use Api Key authentication, as described above, or pass in a two factor token generated via SMS or your authenticator application via the "otp" url parameter. For example: https://www.commcarehq.org/a/<domain>/api/v0.5/case/?otp=123456
API Explorer
A tool for browsing the read-only CommCare APIs can be found at https://commcare-api-explorer.dimagi.com/ . This tool will connect directly to your CommCare account using https://oauth.net/2/ so you don't have to worry about handling authentication. See https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2349990373 for more information.
API Standards
This page contains some shared information about all our APIs.
Dates
We need to decide on a standardized date and datetime format. We will most likely go with https://en.wikipedia.org/wiki/ISO_8601.
Formats
All APIs will be available in both JSON and XML format. Because XML is a more complex representation than JSON, there is not a simple 1:1 mapping. However, we will base the APIs on the JSON format and define a consistent schema for converting JSON to XML for consistency. Here are some standards that we're using.
Objects, Types, and IDs
Root objects should always have a type and id property. The type will be used to define the XML element name of the object, and the ID will be tagged as an attribute on the root element. Here is a very simple example demonstrating this:
Sample Object JSON
Sample Object XML
Lists
In JSON lists are allowed to be either very simple lists of a single basic value (typically a string), or lists of objects. Flat lists will be converted to XML as follows:
Sample Object with List JSON
Sample Object with List XML
The choice of element name for the internal list items (in this case "color") will be defined statically, per element, or may be guessed if there is no static mapping. Typically guessing would entail removing a trailing "s" from the list property name, as in this example.
Lists of objects expect the type property to be present on the object to choose the inner element name, although if none is present will use either a static mapping or guess. The ID attribute is optional but will be treated as described above if present. Root lists of objects should be wrapped in a one-element dictionary, the key of which represents the root element name. The following example shows a basic list of objects. If types are defined it is illegal for any object in the list to have a type different from the others.
Sample List of Objects JSON
Sample List of Objects XML
Standards used in Some APIs
Standard | Description |
|---|---|
The standard for HTTP(S) interactions between CommCare client and server | |
Open Rosa standard meta data tags. (Taken care of by default by CommCare HQ.) | |
XML spec for case-related transactions. (Taken care of by default by CommCare HQ.) | |
https://github.com/dimagi/commcare-core/wiki/CentralAuthAPI† | How authentication is done between a CommCare device and the server |
https://github.com/dimagi/commcare-core/wiki/CommCare20Specs † | Additional documentation for CommCare APIs |
† External links to the JavaRosa/CommCare docs
Documented APIs and use of Standards
In the following, [version] should always be replaced with one of v0.5, v0.4. These documents only describe the latest version - some prior versions remain available only to support backwards compatibility with deployed systems, not for general use.
The latest version is v0.5.
In addition to the permissions listed, all APIs also require the "API Access" permission. The URL endpoints listed below should be utilized as part of a curl authentication command. You can read more about this under https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/edit-v2/2279637003#API-Authentication .
API | Description | URL Endpoint | Permission required |
|---|---|---|---|
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143950677 | API to submit data to CommCare HQ. | See Documentation | Set per domain |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143946459 | Performs Bulk Imports of Case Data through the Excel Case Data Importer to either create or update cases | Valid login | |
API to create a mobile worker on CommCare HQ | https://www.commcarehq.org/a/[domain]/api/[version]/user/ | Edit Mobile Workers | |
API to edit a mobile worker on CommCare HQ | https://www.commcarehq.org/a/[domain]/api/[version]/user/[id] | Edit Mobile Workers | |
API to delete a mobile worker on CommCare HQ | https://www.commcarehq.org/a/[domain]/api/[version]/user/[id] | Edit Mobile Workers | |
https://bitbucket.org/javarosa/javarosa/wiki/UserRegistrationAPI † | API for registering users on CommCare HQ. | https://www.commcarehq.org/a/\[domain\]/receiver | Set per domain |
API to retrieve data payload consumable to restore a users current state of cases. | See Documentation | Valid login | |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143953394 | API to export data from CommCare HQ. | See Documentation | Set per domain |
List, create, edit and delete groups | See Documentation | Edit Mobile Workers | |
list mobile workers or access individual user data | https://www.commcarehq.org/a/[domain]/api/[version]/user/ | Edit Mobile Workers | |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143957287 | list web users or access individual user data | http://www.commcarehq.org/a/[domain]/api/ [version] /web-user/ | Edit Web Users |
List locations and location types and view their details | See https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143945158 | Valid login | |
API to initiate the SMS Mobile Worker Registration workflow | https://www.commcarehq.org/a/[domain]/api/[version]/sms_user_registration/ | Edit Data | |
API to facilitate the reinstallation of CommCare for already-registered users | https://www.commcarehq.org/a/[domain]/api/[version]/sms_user_registration_reinstall/ | Edit Data | |
list cases | https://www.commcarehq.org/a/[domain]/api/[version]/case/ | Edit Data | |
find a single case | https://www.commcarehq.org/a/[domain]/api/[version]/case/[case_id]/ | Edit Data | |
list form submissions | https://www.commcarehq.org/a/[domain]/api/[version]/form/ | Edit Data | |
list/search forms or access a single form | https://www.commcarehq.org/a/[domain]/api/[version]/form/[form_id]/ | Edit Data | |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143945824 | view the schema of modules, cases, and forms for your application | https://www.commcarehq.org/a/[domain]/api/[version]/application/ | Edit Apps |
Look up user details | https://www.commcarehq.org/api/[version]/identity/ | Valid login | |
Look up user domains | https://www.commcarehq.org/api/[version]/user_domains/ | Valid login | |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143954626 | check login credentials and get the user details | https://www.commcarehq.org/a/[domain]/api/[version]/sso/ | Valid login |
Form Attachments | API to get an attachment from a form | https://www.commcarehq.org/a/[domain]/api/form/attachment/{form_id}/{attachment_name} | Valid login |
Case Attachments | API to get an attachment from a case | https://www.commcarehq.org/a/[domain]/api/case/attachment/{form_id}/{ attachment_name} | Valid login |
Get lookup table data | See https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143957453 | Edit Apps | |
Create or edit lookup tables by uploading excel file containing table data | Edit Apps | ||
Download a .ccz file | Download the .ccz file for a specific version of an application | ||
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143953363 | List the available reports in the project | https://www.commcarehq.org/a/[PROJECT]/api/v0.5/simplereportconfiguration/?format=json | Domain Admin |
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143957341 | Filter and download data for a specific report | https://www.commcarehq.org/a/[PROJECT]/api/v0.5/configurablereportdata/REPORTID/ | View Data |
Enabling Data Integration
https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143951997
https://dimagi.atlassian.net/wiki/x/TQPKfw
API Clients
Note that any third party libraries are not supported by Dimagi.
API Key Restrictions
API Keys can be restricted by two methods IP address and/or Domain.
The IP Allowlist restriction defines a specific IP address or comma separated list of IP addresses where the API Key can be used. The field references IPv4. There are many ways to check what your IP Address is, one simple way is to use: https://whatismyipaddress.com/
The Domain restriction allows an API Key to be restricted to a specific domain/project space.
If either of these fields are left blank, the API Key will by default be unrestricted.
API Rate Limiting
CommCare applies API rate limits on all project spaces at all times. You can read more about rate limiting here: https://dimagi.atlassian.net/wiki/spaces/commcarepublic/pages/2143956626/CommCare+Rate+Limiting#API-Rate-Limiting