API Overview

26 Apr 2021
API Endpoint
© 2003 - 2021 The openEHR Foundation
The openEHR Foundation is an independent, non-profit foundation, facilitating the sharing of health records by consumers and clinicians via open specifications, clinical models and open platform implementations.
Licence image Creative Commons Attribution-NoDerivs 3.0 Unported. https://creativecommons.org/licenses/by-nd/3.0/
Support Issues: Problem Reports
Web: specifications.openEHR.org

Amendment Record

Issue Details Raiser, Implementer Completed
3.4 SPECITS-59: Specify mimeType used by adl2 template S Iancu 26 Mar 2021
3.3 SPECITS-41: Add double quotes to ETag and If-Match headers S Iancu 21 Mar 2021
3.2 SPECITS-56: Fixing typos, formatting and minor documentary errors S Iancu 15 Mar 2021
3.2 SPECITS-45: Describe more clearly the datetime format for REST API P Pazos, S Iancu 15 Mar 2021
3.1 SPECITS-57: Updating info about simplified JSON formats E Sundvall, S Iancu 13 Mar 2021
3.0 SPECITS-49: Describing Resource Identification; add clarification over getting COMPOSITIONs by with `version_uid` vs `versioned_object_uid` J Smolka, M Polajnar, S Iancu 08 Mar 2021
2.4 SPECITS-33: Add reference to Simplified Data Template (SDT) format specification I McNicoll, T Beale, S Iancu 17 Oct 2019
2.3 SPECITS-32: Fix typos and minor documentary errors J Smolka, P Pazos, T Beale, S Iancu 19 Jul 2019
2.2 SPECITS-24: Added changelog J Smolka, S Iancu 12 May 2019
SPECITS-25, SPECITS-29: Change layout and structure J Smolka, S Iancu 12 May 2019
2.1 Update links to new openEHR specifications website S Iancu 16 Dec 2018



This specification describes service endpoints, resources, functions and operations as well as details of requests and responses that interacts with an openEHR API in a RESTful manner.

Related Documents

Prerequisite documents for reading this document include:

Related documents include:


This specification is in the STABLE state. Users are encouraged to comment on and/or advise on these paragraphs as well as the main content.

The development version of this document can be found at https://specifications.openehr.org/releases/ITS-REST/latest.


Feedback may be provided on the Implementation Technology Specifications forum.

Issues may be raised on the specifications Problem Report tracker.

To see changes made due to previously reported issues, see the ITS component Change Request tracker.


Glossary and conventions

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 RFC 2119 RFC 8174 when, and only when, they appear in all capitals, as shown here.

Throughout this specification, a set of short terms is being used as described below:

Term Description
API Application Programmer Interface
REST Representational state transfer, a type of Web service that allows clients to access and manipulate textual representations of Web resources.
AQL openEHR’s Archetype Query Language
SEMVER Semantic Versioning 2.0.0
{baseUrl} The base URL of the openEHR APIs; the value depends on the implementation (e.g. https://api.best-ehr-sys.io/rest)
UUID A universally unique identifier as described by RFC 4122 (e.g. 8849182c-82ad-4088-a07f-48ead4180515)
ehr_id The value for an EHR identifier, stored under EHR.ehr_id.value, usually an UUID or a GUID (e.g. 7d44b88c-4199-4bad-97dc-d78268e01398)
versioned_object_uid The value of a VERSIONED_OBJECT unique identifier, stored under VERSIONED_OBJECT.uid.value (e.g. 8849182c-82ad-4088-a07f-48ead4180515)
version_uid The value of a VERSION unique identifier, stored under VERSION.uid.value (e.g. 8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::2)
preceding_version_uid The value of a previous VERSION unique identifier, used usually for PUT or DELETE methods (e.g. 8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::1)
version_at_time Time specifier used to retrieve the VERSION at a given time; the value is in the extended ISO 8601 format (e.g. 2015-01-20T19:30:22.765+01:00)

HTTP Methods

HTTP Methods are described by RFC 7231 and by IANA HTTP Method Registry. The following subset is being used in this specification:

Method Description
GET Transfer a current representation of the target resource.
POST Perform resource-specific processing on the request payload.
PUT Replace all current representations of the target resource with the request payload.
DELETE Remove all current representations of the target resource.
OPTIONS Describe the communication options for the target resource.

HTTP Status codes

HTTP Status codes are described by RFC 7231 and by the IANA Status Code Registry. The following subset of the is being used in this specification:

Code Reason-Phrase Meaning, usecase and details
200 OK The request succeeded, payload sent in a 200 response depends on the request method
201 Created The request has been fulfilled and has resulted in one or more new resources being created
204 No content The request has been fulfilled and there is no additional content to send in the response payload body
400 Bad request The service cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, syntactically invalid content)
401 Unauthorized If the service requires authorization, this indicates that the request has not been applied because it lacks valid authentication credentials for the target resource
403 Forbidden The service understood the request but refuses to authorize it
404 Not found The origin service did not find the target resource or is not willing to disclose that one exists
405 Method Not Allowed The method received in the request-line is known by the origin service but not supported by the target resource
406 Not Acceptable The target resource does not have a current representation that would be acceptable to the user
408 Request Timeout Request maximum execution time is reached, therefore the server aborted the request
409 Conflict Indicates that the request could not be processed because it might generate a duplicate or a conflict
412 Precondition Failed One or more conditions given in the request header fields evaluated to false when tested on the server
415 Unsupported Media Type The service is refusing the request because the payload is in a format not supported by this method on the target resource
422 Unprocessable Entity The request was well-formed but was unable to be followed due to semantic errors
500 Internal Server Error The service encountered an unexpected condition that prevented it from fulfilling the request
501 Not Implemented The service does not support the functionality required to fulfill the request

Design considerations

The following describes in details how HTTP headers and status codes MUST be used by an openEHR REST API implementation in order to achieve good interaction between services and clients in the spirit of this specification.

Furthermore, general details about resources, data representation and content negotiation are described in this specification.

NOTE: JSON format is used in many of the example below, but this does not imply that XML might not be supported by the same service endpoint.

Authentication and authorization

Services SHOULD implement and support an HTTP Authentication and Authorization framework (which can support various schemes) but there is no assumption or recommendation being made in this specification about which authentication scheme should be used by services and clients. See RFC 7235 or Mozilla’s HTTP Authentication for details on this subject.

If an Authentication and Authorisation framework is present, services MUST properly use WWW-Authenticate and/or Proxy-Authenticate response headers and return HTTP status code 403 Forbidden or 401 Unauthorized or 407 Proxy Authentication whenever applicable, and clients MUST properly use Authorization and Proxy-Authorization in their request headers.

Options and conformance

OPTIONS {baseUrl}/v1/
RequestsInspect services and conformance
Accept: application/json
Content-Type: application/json
  "solution": "openEHRSys",
  "solution_version": "v0.9",
  "vendor": "My-openEHR",
  "restapi_specs_version": "v1.0.2",
  "conformance_profile": "STANDARD",
  "endpoints": [


The OPTIONS HTTP method allows a client to determine the options and/or requirements associated with a resource, or the capabilities of the service, without implying a resource action. Services SHOULD respond to this method with at least appropriate HTTP codes, headers and potentially with a payload revealing more details about themselves.

Another use-case for this method is related to exposing service capabilities for a conformance manifest.

HTTP headers

Standard HTTP Request and Response headers are described by RFC 7231 and by the IANA Message Headers. The following describes the use of a subset of these headers, as well as the custom headers used by an openEHR API.

The openEHR-VERSION and openEHR-AUDIT_DETAILS headers

When it comes to committing content to an openEHR system, for all change-controlled resources (e.g. COMPOSITION, EHR_STATUS, FOLDER, etc.) the services are performing versioning under the hood. The ‘native’ way of committing is to use a CONTRIBUTION and wrap the content as a VERSION. To keep things simpler and consistent, services MUST also allow PUT, POST and DELETE methods directly on these change-controlled resources. However, these operations MUST internally be executed using the ‘native’ way.

In order to allow clients to provide committal metadata, services MUST accept openEHR-VERSION and openEHR-AUDIT_DETAILS custom request headers. For clients, it is RECOMMENDED to provision these headers based on authentication and authorization runtime data. Below is a complex example of these request headers used in a PUT action to update a COMPOSITION:

openEHR-VERSION.lifecycle_state: code_string="532"
openEHR-AUDIT_DETAILS.change_type: code_string="251"
openEHR-AUDIT_DETAILS.description: value="An updated composition contribution description"
openEHR-AUDIT_DETAILS.committer: name="John Doe", external_ref.id="BC8132EA-8F4A-11E7-BB31-BE2E44B06B34", external_ref.namespace="demographic", external_ref.type="PERSON"

None of these headers are mandatory, but whatever is provided it MUST be merged with the default VERSION and VERSION.audit_details attributes on commit runtime.

Below a list of code_string values and their meaning (taken from openEHR terminology):

header code value / meaning
openEHR-VERSION.lifecycle_state 532 complete
openEHR-VERSION.lifecycle_state 553 incomplete
openEHR-VERSION.lifecycle_state 523 deleted
openEHR-AUDIT_DETAILS.change_type 249 creation
openEHR-AUDIT_DETAILS.change_type 250 amendment
openEHR-AUDIT_DETAILS.change_type 251 modification
openEHR-AUDIT_DETAILS.change_type 252 synthesis
openEHR-AUDIT_DETAILS.change_type 523 deleted
openEHR-AUDIT_DETAILS.change_type 666 attestation
openEHR-AUDIT_DETAILS.change_type 253 unknown

The If-Match header and accidental overwrites

The use case of this is described by RFC 7232.

If-Match: "8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::2"

This HTTP request header SHOULD be used by the clients to prevent accidental overwrites when multiple user agents might be acting in parallel on the same resource. This is only required by a small set of resources of this specification, as in most of the other cases the preceding_version_uid path segment is instead required in order to prevent such accidental overwrites. In case a service receives this header, and the condition evaluates to false, it MUST respond with HTTP status code 412 Precondition Failed and return also latest version_uid in the Location and ETag response headers.

The openEHR-TEMPLATE_ID header

This request header MUST be used whenever committing COMPOSITION (via PUT or POST methods) using a simplified data format which does not support TEMPLATE_ID value under an equivalent LOCATABLE.archetype_details.template_id attribute of contained data.

The Location and openEHR-uri header

This response header indicates the resource location (URL). According to RFC 7231, it is used to refer to a specific resource in relation to the response. The type of relationship is defined by the combination of request method and status code semantics. The identifiers part of this URI-reference SHOULD comply with resource identification semantics of this specification.

Services MUST return this header whenever a create or update operation was performed, but it MAY return this header on other operation or action. Example:

Location: {baseUrl}/ehr/347a5490-55ee-4da9-b91a-9bba710f730e/composition/8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::2

See representation details negotiation section for more details on how use this header.

If services have support to generate resource URL as specified by the DV_URI/DV_EHR_URI format, then they MAY send also openEHR-uri response header. Example:

openEHR-uri: ehr:/347a5490-55ee-4da9-b91a-9bba710f730e/compositions/87284370-2D4B-4e3d-A3F3-F303D2F4F34B

The Prefer header

This request header MAY be used by clients for resource representation negotiation. See more details on representation details negotiation section.

The ETag and Last-Modified headers

These headers are mainly related to whether or not a returned resource may be cacheable. Their purpose is to give clients information about the state of the requested resources.

According to RFC 7232,

The “ETag” header field in a response provides the current entity-tag for the selected representation, as determined at the conclusion of handling the request. An entity-tag is an opaque validator for differentiating between multiple representations of the same resource, regardless of whether those multiple representations are due to resource state changes over time, content negotiation resulting in multiple representations being valid at the same time, or both.

The ETag response HTTP header contains a string token that the server associates with a resource in order to uniquely identify the state of that resource over its lifetime. The value of the token changes as soon as the resource changes. An example of such header value format is:

ETag: "8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::2"

Servers MAY choose their own format for this header, but the recommended value is the unique identifier of the requested resource (e.g. VERSIONED_OBJECT.uid.value, VERSION.uid.value, EHR.ehr_id.value, etc).

The Last-Modified response HTTP header contains the datetime of the last modification of targeted resource which should be taken from VERSION.commit_audit.time_committed.value. An example of such header value format is:

Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT

These two headers SHOULD be present in all responses targeting VERSION, VERSIONED_OBJECT or other resources that have similar unique identifier.

HTTP status codes

To indicate the status of the request, or the executed operation, one of the HTTP status codes MUST be used, as described above. Meaning of these codes may be further detailed (nuanced) in this specification by particular responses. If required, other status codes MAY be used by implementations as long as their usecase is not conflicting or overlapping with above codes.

Status code 400 indicates a bad request or generic client-side error, used when no other 4xx error code is appropriate. The client SHOULD NOT repeat the request without modifications.

In case of errors (HTTP status codes 400-500), the services MAY return more details (if Prefer: return=representation request header is present). Example:

some codes/messages https://github.com/ppazos/cabolabs-ehrserver/wiki/API-error-codes-and-messages and http://veratechnas1.synology.me:13606/InstanceValidator/rules.html

    "message": "Error message",
    "code": 90000,
    "errors": [
            "_type": "DV_CODED_TEXT",
            "value": "Error message",
            "defining_code": {
                "terminology_id": {
                    "value": "local"
                "code_string": "9000"
            "_type": "DV_CODED_TEXT",
            "value": "Secondary error message",
            "defining_code": {
                "terminology_id": {
                    "value": "local"
                "code_string": "8000"


For the openEHR API, a Resource is an instance object of a specific openEHR class (type) that can be identified, addressed, handled or managed by the service. The following are examples of openEHR resources and their types:

  • top-level content structure types, such as COMPOSITION, EHR_STATUS, FOLDER, PARTY, etc.

  • version containers, such as VERSIONED_COMPOSITION, VERSIONED_EHR_STATUS, etc. or their containing VERSION

  • other non-versioned resources, such as EHR, CONTRIBUTION, RESULT_SET, etc.

  • definitions, such as TEMPLATE, ARCHETYPE, QUERY

Types defined by openEHR specification are always capitalized when used in this specification. For a list of all available types or a particular type definition please refer to the class index.

Resource identification

An important aspect of a RESTful service is to be able to address resources via URIs/URLs using HTTP verbs (methods). Each resource has an identifier which is unique within the system for that resource type, usually consisting of at least a globally unique identifier (UUIDs). Once the resource is persisted by the service, the identifier is assigned and will never change for that resource instance.

Depending on the resource type and on the use cases, there are several identifier types (and formats):

  • a versioned_object_uid for identifying a VERSIONED_OBJECT (i.e. a version container),

  • a version_uid for identifying a VERSION from the version container,

  • an ehr_id to identify an EHR,

  • a template_id or a qualified_query_name used to identify various definitions.

The version_uid is the unique identifier of a VERSION, in the lexical form of object_id :: creating_system_id :: version_tree_id, where the object_id has the same value as the containing VERSIONED_OBJECT identifier taken from VERSIONED_OBJECT.uid.value.

As examples of identifiers, the following request:

GET https://api.openEHRSys.example.com/v1/ehr/7d44b88c-4199-4bad-97dc-d78268e01398/composition/8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::1

is using an URI that contains an EHR identifier 7d44b88c-4199-4bad-97dc-d78268e01398, taken from EHR.ehr_id.value, and a COMPOSITION identifier 8849182c-82ad-4088-a07f-48ead4180515::openEHRSys.example.com::1, taken from COMPOSITION.uid.value, serviced by an openEHR API (of version v1), located at https://api.openEHRSys.example.com.

There are circumstances when resources can be uniquely identified by two different identifiers. For example, assuming that a VERSIONED_COMPOSITION container has the versioned_object_uid identifier 8849182c-82ad-4088-a07f-48ead4180515, and the latest version is 5 (taken from version_tree_id), then that COMPOSITION can be identified either by following explicit URI:


using the version_uid identifier, as well as by the following implicit URI:


However, the latter will only reference the same resource as the former as long as there are no more changes or modifications on that specific version container (i.e. the latest version remains 5).

  • NOTE: Since RM Release 1.0.4 it is strongly recommended that the inherited attribute uid be populated in COMPOSITIONs, using the UID copied from the object_id() of the uid field of the enclosing VERSION object. For example, the ORIGINAL_VERSION.uid 87284370-2D4B-4e3d-A3F3-F303D2F4F34B::uk.nhs.ehr1::2 would be copied to the uid field of the COMPOSITION. See Levels of identification chapter of Architecture Overview for more details.

Data representation

Services MUST support at least one of the openEHR XML or JSON formats for resource representation. Alternative formats MAY be also supported, such as a Simplified Data Template (SDT) format. These formats and their associated negotiation protocol is described below.

XML Format

When resources representation is serialized as XML, the request payload as well as the result MUST be valid against published XSDs.

A client MAY use the header Content-Type: application/xml in the requests to specify the XML payload format. If the service cannot process the request payload as XML format is not supported, it MUST respond with HTTP status code415 Unsupported Media Type.

The client SHOULD use the Accept: application/xml request header in order to specify the expected XML response format. If the service cannot fulfill this aspect of the request, it MUST respond with HTTP status code 406 Not Acceptable. Proper header Content-Type: application/xml MUST be present in the response of the service unless the response has no content body (HTTP status code 204).

JSON Format

When resources representation is serialized as JSON, the request payload as well as the result SHOULD be valid against published JSON-Schemas.

Note: The JSON-Schema project is under development.

Attribute names must be lowercase snake_case names as specified in the equivalent RM type. For example:

    "category": {
        "value": "event",
        "defining_code": {
            "terminology_id": {
                "value": "openehr"
            "code_string": "433"

Metadata attributes (those that are not also RM attributes) will always be prefixed by a '_'.

One example is the _type attribute, which should be used to specify the RM type whenever polymorphism is involved, or when the underlying definition in RM type is abstract (dynamic type is different from the static type). This follows same rule as for XML typing. The value of this attribute MUST be the uppercase class name from the RM specification. For example:

    "_type": "DV_TEXT",
    "value": "Hello world!"

The RM attributes (even required ones) that are Null, empty list or empty arrays SHOULD be absent when serialized as JSON.

The order of attributes in the resource MAY follow the order of attributes in the RM specification of the type of the resource, but this is not mandatory.

A client MAY use the header Content-Type: application/json in the requests to specify the JSON payload format. If the service cannot process the request payload as JSON format is not supported, it MUST respond with HTTP status code 415 Unsupported Media Type.

The client SHOULD use the Accept: application/json request header in order to specify the expected JSON response format. If the service cannot fulfill this aspect of the request, it MUST respond with HTTP status code 406 Not Acceptable. Proper header Content-Type: application/json MUST be present in the response of the service unless the response has no content body (HTTP status code 204).

Alternative data formats

Creating data instances according to canonical XML or JSON format is not always straightforward, particularly for developers with minimal exposure to openEHR, and various alternatives have been used in the past to simplify the job of content creation and committal for application developers.

There is an initiative exploring and documenting these alternative formats, which specifications can be consulted at Simplified Data Template (SDT) page.

Note: The specification of Simplified Data Template is under development.

In order to use these formats, content negotiation SHOULD be done in the same manner as for the canonical XML or JSON format above, but instead of application/xml or application/json, clients and servers MUST use:

  • application/openehr.wt.flat+json for the simplified IM Simplified Data Template (simSDT) as JSON, based on the ‘FLAT’ version of the ‘web template’ format, originally created by Marand for the Better platform. More information can be found also in their ‘examples’ page, as well as in their open-source implementation and conformance tests.

    EHRbase also has support for this format, and provides information in their documentation.

  • application/openehr.wt.structured+json for the structured IM Simplified Data Template (structSDT) as JSON, based on the ‘STRUCTURED’ version of the ‘web template’ format originally created by Marand for the Better platform (see also their ‘examples’).

  • text/plain for all textual ADL2 templates or AQL queries,

  • application/openehr.nc.flat+json for near-canonical RM Simplified Data Template (ncSDT) as JSON, based on the ECISFLAT format, originally devised for the EtherCIS project,

  • application/openehr.tds2+xml for TDS simplification of RM as XML, based on the ‘TDS/TDD’ format originally created by Ocean Health Systems (see this wiki page and the TDD2canonical project).

Note: Other alternative formats may be added in the future, depending on innovative impact, simplicity, popular demand or adoption rate. Current alternative formats might not be supported once they become obsolete or superseded by newer formats.

A client MAY use the header Content-Type in the requests to specify the simplified payload format. If the service cannot process the request payload as the simplified format is not supported, it MUST respond with HTTP status code415 Unsupported Media Type.

The client SHOULD use the Accept request header in order to specify the expected simplified response format. If the service cannot fulfill this aspect of the request, it MUST respond with HTTP status code 406 Not Acceptable. Proper header Content-Type MUST be present in the response of the service unless the response has no content body (HTTP status code 204).

Datetime format

The format of the date, time and datetime types should comply with the ISO 8601 Date and Time format specification. The ISO 8601 semantics assumed by openEHR is defined in the classes of the base.foundation_types.time package. It is strongly recommended using the extended format for dates, times and datetimes. This greatly aids human readability, and reduces the need for special date/time parsing and formatting.

HTTP query parameters and path segments that are dates, datetimes, or times, MUST always use the extended ISO 8601 format. The general form of a datetime is YYYY-MM-DDThh:mm:ss.sss[Z|±hh:mm], e.g. 2016-06-23T13:42:16.117+02:00.
Timezone SHOULD be only supplied when needed, otherwise the local timezone is assumed.

Any date, datetime or time value provided as part of the HTTP message body, when creating or updating a resource (e.g. a DV_DATE_TIME value inside the COMPOSITION content), will be preserved as it was sent by the client, and passed to the underlying backend engine as is. Retrieval or querying those resources SHOULD return date, datetime, or time values in the (original) format provided by underlying backend engine, avoiding any format change.

Representation details negotiation

When using the HTTP methods to create or update a resource, the service SHOULD give clients the option of returning either a complete representation of the (modified) resource, or a minimal or no content in the payload response (assuming the operation was successfully completed). See RFC 7240 for more details on how achieve this using Prefer header. The client MAY choose any of the following:

  • send Prefer: return=minimal to inform the service that prefers only a minimal response to a successful request. A Location header indicating the direct URL to access the resource MUST be part of the service response. If there is no payload content to be returned, the service SHOULD use HTTP status code 204 No Content.

  • send Prefer: return=representation to inform the service that prefers a full representation response to a successful request. A Location header indicating the direct URL to access the resource MAY be part of the service response, and the payload content SHOULD include a full representation.

In case no Prefer header is present in request, the default response policy is return=minimal.

Another preference is related to following and resolving OBJ_REF identifiers. Under some circumstances a client MAY indicate that prefers response containing full or partial resource representation instead of references to resources using OBJ_REF. A typical case is a list of COMPOSITIONs part of an EHR, which, strictly following RM specification, should always return list of OBJ_REF, but sometimes clients prefers to get COMPOSITIONs. Services that have this capability implemented SHOULD accept and honor Prefer: resolve_refs request header.

Prefer: return=representation, resolve_refs

Generated with aglio on 26 Apr 2021