CommCare API Overview

This page below provides an overview of CommCare’s API functionality.

1 Overview
2 API Authentication
- 2.1 Basic authentication
- 2.2 API Key authentication
- 2.3 Two-Factor authentication
3 API Explorer
4 API Standards
- 4.1 Dates
- 4.2 Formats
- 4.3 Objects, Types, and IDs
- 4.4 Lists
5 Standards used in Some APIs
6 Documented APIs and use of Standards
- 6.1 Enabling Data Integration
7 API Clients
8 API Key Restrictions
9 API Rate Limiting
- 9.1 Standard rate limit thresholds
- 9.2 Technically Feasible API Requests

Overview

This section is for you if...

You are a programmer.
You are looking to write code that interacts directly with CommCare HQ through its APIs.

If you are not a programmer and are looking to integrate CommCare with other platforms we recommend looking at https://dimagi.atlassian.net/wiki/x/fRzKfw.

Things we take for granted...

You should have a familiarity with HTTP conventions, such as GET and POST and url parameters.
To follow the examples, you should be familiar with the standard command line tool curl. Here's the manual: https://curl.se/docs/.
Character encoding is UTF-8. Dates should be compliant https://en.wikipedia.org/wiki/ISO_8601. (In some cases we're still using RFC 3339, but we're moving towards ISO 8601.) Guids should be generated in accordance with RFC 4122.

API Authentication

The API's support a few different methods of authentication in addition to the normal session-based authentication used on the rest of CommCare HQ. This makes it easy to access these URLs programmatically.

The examples below use .

Basic authentication

See for details of basic authentication.

Example (will prompt for the password):

curl -v -u [USERNAME] '[URL]'

You can also include the password in the command as follows:

curl -v -u [USERNAME]:[PASSWORD] '[URL]'

API Key authentication

Your API Keys can be found at .

From that page you can generate new API keys and scope them to individual IP addresses. If an API key has an IP address whitelist, any request originating from a different IP address that uses that API key will be rejected.

When an API key is deleted, all requests using that key will be rejected. Unfortunately deleted keys cannot be recovered.

When creating a new API key, the actual key will only be shown once so you should note it down at that moment.

If you use this method of authentication, you do not need to provide a 2 factor OTP header (this is only relevant for API calls with 2 factor auth required.)

curl -H "Authorization: ApiKey [USERNAME]:[API_KEY]" '[URL]'

Two-Factor authentication

If you have two factor authentication (2FA) set up on your account, then basic authentication is not directly supported for accessing APIs. Instead, you must use Api Key authentication, as described above, or pass in a two factor token generated via SMS or your authenticator application via the "otp" url parameter. For example: https://www.commcarehq.org/a/<domain>/api/v0.5/case/?otp=123456

API Explorer

A tool for browsing the read-only CommCare APIs can be found at . This tool will connect directly to your CommCare account using so you don't have to worry about handling authentication.

API Standards

This page contains some shared information about all our APIs.

Dates

We need to decide on a standardized date and datetime format. We will most likely go with .

Formats

All APIs will be available in both JSON and XML format. Because XML is a more complex representation than JSON, there is not a simple 1:1 mapping. However, we will base the APIs on the JSON format and define a consistent schema for converting JSON to XML for consistency. Here are some standards that we're using.

Objects, Types, and IDs

Root objects should always have a type and id property. The type will be used to define the XML element name of the object, and the ID will be tagged as an attribute on the root element. Here is a very simple example demonstrating this:

Sample Object JSON

Sample Object XML

Lists

In JSON lists are allowed to be either very simple lists of a single basic value (typically a string), or lists of objects. Flat lists will be converted to XML as follows:

Sample Object with List JSON

Sample Object with List XML

The choice of element name for the internal list items (in this case "color") will be defined statically, per element, or may be guessed if there is no static mapping. Typically guessing would entail removing a trailing "s" from the list property name, as in this example.

Lists of objects expect the type property to be present on the object to choose the inner element name, although if none is present will use either a static mapping or guess. The ID attribute is optional but will be treated as described above if present. Root lists of objects should be wrapped in a one-element dictionary, the key of which represents the root element name. The following example shows a basic list of objects. If types are defined it is illegal for any object in the list to have a type different from the others.

Sample List of Objects JSON

Sample List of Objects XML

Standards used in Some APIs

Standard	Description

Standard	Description
OpenRosa Request ^†	The standard for HTTP(S) interactions between CommCare client and server
Meta Data Schema ^†	Open Rosa standard meta data tags. (Taken care of by default by CommCare HQ.)
^†	XML spec for case-related transactions. (Taken care of by default by CommCare HQ.)
^†	How authentication is done between a CommCare device and the server
^†	Additional documentation for CommCare APIs

^† External links to the JavaRosa/CommCare docs

Documented APIs and use of Standards

In the following, [version] should always be replaced with one of v0.5, v0.4. These documents only describe the latest version - some prior versions remain available only to support backwards compatibility with deployed systems, not for general use.

The latest version is v0.5.

In addition to the permissions listed, all APIs also require the "API Access" permission. The URL endpoints listed below should be utilized as part of a curl authentication command. You can read more about this under .

API	Description	URL Endpoint	Permission required

API	Description	URL Endpoint	Permission required
	API to submit data to CommCare HQ.	See Documentation	Set per domain
	Performs Bulk Imports of Case Data through the Excel Case Data Importer to either create or update cases	See	Valid login
	API to create a mobile worker on CommCare HQ	https://www.commcarehq.org/a/[domain]/api/[version]/user/	Edit Mobile Workers
	API to edit a mobile worker on CommCare HQ	https://www.commcarehq.org/a/[domain]/api/[version]/user/[id]	Edit Mobile Workers
	API to delete a mobile worker on CommCare HQ	https://www.commcarehq.org/a/[domain]/api/[version]/user/[id]	Edit Mobile Workers
^†	API for registering users on CommCare HQ.	https://www.commcarehq.org/a/\[domain\]/receiver	Set per domain
	API to retrieve data payload consumable to restore a users current state of cases.	See Documentation	Valid login
	API to export data from CommCare HQ.	See Documentation	Set per domain
	List, create, edit and delete groups	See Documentation	Edit Mobile Workers
	list mobile workers or access individual user data	https://www.commcarehq.org/a/[domain]/api/[version]/user/	Edit Mobile Workers
	list web users or access individual user data	http://www.commcarehq.org/a/[domain]/api/ [version] /web-user/	Edit Web Users
	List locations and location types and view their details	See	Valid login
	API to initiate the SMS Mobile Worker Registration workflow	https://www.commcarehq.org/a/[domain]/api/[version]/sms_user_registration/	Edit Data
	API to facilitate the reinstallation of CommCare for already-registered users	https://www.commcarehq.org/a/[domain]/api/[version]/sms_user_registration_reinstall/	Edit Data
	list cases	https://www.commcarehq.org/a/[domain]/api/[version]/case/	Edit Data
	find a single case	https://www.commcarehq.org/a/[domain]/api/[version]/case/[case_id]/	Edit Data
	list form submissions	https://www.commcarehq.org/a/[domain]/api/[version]/form/	Edit Data
	list/search forms or access a single form	https://www.commcarehq.org/a/[domain]/api/[version]/form/[form_id]/	Edit Data
	view the schema of modules, cases, and forms for your application	https://www.commcarehq.org/a/[domain]/api/[version]/application/	Edit Apps
	Look up user details	https://www.commcarehq.org/api/[version]/identity/	Valid login
	Look up user domains	https://www.commcarehq.org/api/[version]/user_domains/	Valid login
	check login credentials and get the user details	https://www.commcarehq.org/a/[domain]/api/[version]/sso/	Valid login
Form Attachments	API to get an attachment from a form	https://www.commcarehq.org/a/[domain]/api/form/attachment/{form_id}/{attachment_name}	Valid login
Case Attachments	API to get an attachment from a case	https://www.commcarehq.org/a/[domain]/api/case/attachment/{form_id}/{ attachment_name}	Valid login
	Get lookup table data	See	Edit Apps
	Create or edit lookup tables by uploading excel file containing table data	See	Edit Apps
Download a .ccz file	Download the .ccz file for a specific version of an application	See
	List the available reports in the project	https://www.commcarehq.org/a/[PROJECT]/api/v0.5/simplereportconfiguration/?format=json	Domain Admin
	Filter and download data for a specific report	https://www.commcarehq.org/a/[PROJECT]/api/v0.5/configurablereportdata/REPORTID/	View Data

Enabling Data Integration

API Clients

Note that any third party libraries are not supported by Dimagi.

Python

API Key Restrictions

API Keys can be restricted by two methods IP address and/or Domain.

The IP Allowlist restriction defines a specific IP address or comma separated list of IP addresses where the API Key can be used. The field references IPv4. There are many ways to check what your IP Address is, one simple way is to use: https://whatismyipaddress.com/
The Domain restriction allows an API Key to be restricted to a specific domain/project space.

If either of these fields are left blank, the API Key will by default be unrestricted.

API Rate Limiting

CommCare applies API rate limits on all project spaces at all times. You can read more about rate limiting here: .

Standard rate limit thresholds

The standard rate limit per minute is 3 API requests per mobile worker.
The standard rate limit per hour is 130 API requests per mobile worker.
The standard rate limit per day is 1000 API requests per mobile worker.

In the table below, you will see the calculated rate limit thresholds for each subscription plan.

(number of mobile workers) * (standard API requests per minute or hour or day etc.)

MOBILE WORKERS INCLUDED IN THE SUBSCRIPTION	TIME PERIOD	RATE LIMIT THRESHOLD

MOBILE WORKERS INCLUDED IN THE SUBSCRIPTION	TIME PERIOD	RATE LIMIT THRESHOLD
Standard plan
125 mobile workers	API requests per minute	375
	API requests per hour	16,250
	API requests per day	125,000
Pro plan
250 mobile workers	API requests per minute	750
	API requests per hour	32,500
	API requests per day	250,000
Advanced plan
500 mobile workers	API requests per minute	1,500
	API requests per hour	65,000
	API requests per day	500,000
Enterprise Plan
1000 mobile workers	API requests per minute	3,000
	API requests per hour	130,000
	API requests per day	1,000,000

Technically Feasible API Requests

We advise you to adhere to the rate limits as outlined above.