What you can do with the API today

Once a patient completes the authorization and EHR connection flows, your app can retrieve user data through these API endpoints (Bearer token required)

If you’re curious about the contents and format of the data returned, we suggest taking a look at our schema on Swagger.

How it works at a high level

The Connect API uses an OAuth2 authorization flow:

1. Your app sends the user to Consolidate Health using an authorization URL you construct.

2. The user verifies their email and completes the Consolidate Health onboarding flow.

3. The user tells us where they receive care

4. The user connects their EHR system(s) within the Consolidate Health experience using their patient portal credentials.

5. The patient reviews and approves sharing with your application.

6. Consolidate Health redirects back to your app with an authorization code.

7. Your backend exchanges the code for tokens (access + refresh) and receives a patient_id.

8. Your app uses the access token to retrieve patient data from the API.

The key idea: patients are always in control, and your application only receives data after explicit authorization.

What you need to integrate

You’ll need the following before you begin:

1. Client credentials (Client ID + Client Secret)
   
   

2. A preregistered redirect URI
   Where the patient returns after approving access
   
   

3. A backend service
   To exchange the authorization code(s) for tokens securely

⚠️ Important:

The token exchange requires your client secret and must be performed on a backend server (not browser-only frontend code).

Who this is for (common use cases)

Consolidate Health Connect is commonly used by:

• Consumer health apps (wellness, chronic condition support, medication management)

• AI healthcare products (care navigation, summarization, decision support, patient-facing copilots)

• Intake and clinical workflow tools (patient history collection, pre-visit data gathering)

• Employee wellness and benefits experiences

• Data platforms that need patient authorized or consented record access

  
  

Implementation effort: what to expect

Most integrations involve three practical pieces of work:

1. Create a “Connect your health records” entry point in your app (a button or link).

2. Build a callback handler at your redirect URI (an endpoint in your app that receives the OAuth authorization code after the user completes consent).

3. Add a backend token exchange endpoint and store tokens securely for later API calls.

Once that’s done, making data requests is straightforward: include the Bearer token in the Authorization header and call the relevant patient endpoint.

Reliability and safety essentials (read this early)

Even if you aren’t implementing the integration yourself, these requirements matter:

• Never expose your client secret in frontend or mobile code.

• Validate the state parameter on callback to prevent CSRF attacks.

• Plan for token expiration: access tokens expire and must be refreshed (6 hours for the access token, 180 days for the refresh token).

• Store tokens securely (encrypted at rest, access-controlled).