User Management

User management is central to 1upHealth's APIs. These endpoints allow you to create users, and manage their permissions and data. If you would like OAuth client keys to the 1upHealth API, create an account and visit our developer console.

Create a developer account

Create Users

An application can create users via the following call. Each response will contain the new user's oneup_user_id, access_token, refresh_token, and app_user_id. The appuserid helps you keep track of users between the 1up API and your own user management system.

curl -X POST "" \
  -d "app_user_id=myappsuserid" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

You will receive a response like this

  success: true,
  code: 'accesscodeaccesscodeaccesscode',
  oneup_user_id: 251,
  app_user_id: '1499270216467',
  active: true

The code variable is the OAuth2 access code. You must exchange that to get the OAuth2 access token by following the the OAuth2 token grant steps. The access_token and refresh_token will be used to gain access to user data. Keep those secure via HIPAA compliant means of transmission and storage, along with all other patient data. The auth token expires after 7200 seconds (2 hours). You can also refresh the token by continuing with the OAuth2 token refresh flow.

If you need a new auth code for a user you already created on 1upHealth, you can make a request via the following method

curl -X POST "" \
  -d "app_user_id=myappsuserid" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

Read / View User List

To see all users, paginate through the users api endpoint.

curl -X GET "" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret" \

You can also query for individual users by adding the parameters `


Update Users

If you need to change the appuserid, you can do that via the following command. The oneup_user_id will be assigned, you cannot alter or request it.

curl -X PUT "" \
  -d "oneup_user_id=123" \
  -d "app_user_id=newappuserid" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

Deactivate User

User deactivation will revoke the user's refresh_token and auth_token and will mark their active field to false. After a user is deactivated, that auth token can no longer be used to gain access to data.

curl -X PUT "" \
  -d "oneup_user_id=123" \
  -d "active=false" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

Managing User Associated Patient Data

You can create any FHIR resource and associate it with the user. For example, you can create a Patient resource, and give the user a name, gender, age, etc. All you need to do is add the user's auth_token to a request when creating or updating a FHIR resource.

Accessing FHIR Resources

Create a FHIR resource

Creating a FHIR resource now works like any other FHIR server with OAuth2 credentials. You would use the access_token in the Authorization header value. The newly created resource will be available after a short delay (< 1 second).

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer accesstokenaccesstokenaccesstoken" \
  -d '{
  "resourceType": "Patient",
  "id": "135375",
  "meta": {
    "versionId": "1",
    "lastUpdated": "2017-05-26T12:00:41.233-04:00"
  "name": [
      "use": "official",
      "text": "Bilbo Baggins",
      "family": "Baggins",
      "given": [
  "gender": "male",
  "birthDate": "1993-06-20"

That will return a response with the resource id along with the rest of the 1uphealth object. Use the id value, in this case it is 0a0cee5487a8, for subsequent queries.

{"gender":"male","meta":{"lastUpdated":"2017-07-18T18:41:54.774Z","versionId":"2"},"name":[{"given":["Bilbo",""],"use":"official","text":"Bilbo Baggins","family":"Baggins"}],"birthDate":"1993-06-20T04:00:00.000Z","resourceType":"Patient","id":"0a0cee5487a8"}

Get the new FHIR resource

Query the recently added FHIR resource. Again, use the access_token in the Authorization header value.

curl -X GET \
  -H "Authorization: Bearer accesstokenaccesstokenaccesstoken" \

User Permissions

Setting User Permissions

If you already have a FHIR resource created, and would like to allow this user's credentials to view that resource, you can modify permissions of that FHIR resource. Beware, that your application must manage rights to data. 1upHealth is not aware if userA is legally allowed to view userB's data, only your app can make that decision. The auth token is for the user who created that resource. Essentially, that user is granting permissions to other users.

curl -X PUT "" \
  -H "Authorization: Bearer access_token_for_user_who_owns_this_resource"

Delete User Permissions

Similarly, you can delete a user's access to that resource.

curl -X DELETE "" \
  -H "Authorization: Bearer access_token_for_user_who_owns_this_resource"

When FHIR queries are made for a resource using an individual user's auth_token, only resources available to that user (via set permissions) will be returned.