API Documentation

Access your client data and assessment results programmatically via the TriageHealth REST API. Available on the Clinic plan.

Authentication

All API requests require a valid API key sent in the Authorization header as a Bearer token. Generate keys from your Pro Settings page.

curl https://triagehealth.com/api/v1/clients \
  -H "Authorization: Bearer th_your_api_key_here"

Keep your API keys secret. Do not expose them in client-side code, public repositories, or browser requests.

Rate Limits

API requests are limited to 60 requests per minute per API key. Rate limit information is returned in response headers:

Header	Description
`X-RateLimit-Remaining`	Requests remaining in current window
`X-RateLimit-Reset`	Unix timestamp when the window resets
`Retry-After`	Seconds to wait before retrying (when rate limited)

Error Handling

All errors return a JSON object with an error field describing the problem.

Status	Meaning
`401`	Invalid, missing, or expired API key
`404`	Resource not found or not owned by your account
`429`	Rate limit exceeded
`500`	Internal server error

Endpoints

Clients

GET/api/v1/clients

List all clients for the authenticated professional.

Query Parameters

limit(number)— Max results (default 50, max 100)

offset(number)— Pagination offset (default 0)

includeArchived(boolean)— Include archived clients (default false)

Example Response

{
  "data": [
    {
      "id": "cl_abc123",
      "name": "Jane Smith",
      "email": "jane@example.com",
      "dateOfBirth": "1990-05-15",
      "sex": "FEMALE",
      "isArchived": false,
      "createdAt": "2025-12-01T10:30:00.000Z",
      "_count": { "assessments": 3 }
    }
  ],
  "total": 42,
  "limit": 50,
  "offset": 0
}

Assessments

GET/api/v1/assessments

List assessments, optionally filtered by client.

Query Parameters

clientId(string)— Filter by client ID

limit(number)— Max results (default 20, max 100)

offset(number)— Pagination offset (default 0)

Example Response

{
  "data": [
    {
      "id": "asmt_xyz789",
      "status": "COMPLETED",
      "reportType": "COMPREHENSIVE",
      "clientId": "cl_abc123",
      "createdAt": "2025-12-15T14:00:00.000Z",
      "updatedAt": "2025-12-15T14:05:00.000Z"
    }
  ],
  "total": 12,
  "limit": 20,
  "offset": 0
}

GET/api/v1/assessments/:id

Get a single assessment with all result data.

Example Response

{
  "id": "asmt_xyz789",
  "status": "COMPLETED",
  "reportType": "COMPREHENSIVE",
  "createdAt": "2025-12-15T14:00:00.000Z",
  "results": {
    "bodyComposition": { ... },
    "bloodwork": { ... },
    "nutrients": { ... },
    "dietPatterns": { ... },
    "exercise": { ... },
    "sleep": { ... },
    "stress": { ... },
    "cvdRisk": { ... },
    "medications": { ... },
    "supplements": { ... },
    "crossReferences": { ... },
    "priorityMatrix": { ... },
    "whatToTest": { ... },
    "weightTrend": { ... }
  }
}

Assessment Sub-Resources

Retrieve individual sections of an assessment result without fetching the full payload.

GET/api/v1/assessments/:id/bloodwork

Get only the bloodwork analysis for an assessment.

Example Response

{
  "bloodwork": {
    "markers": [ ... ],
    "flags": [ ... ],
    "summary": "..."
  }
}

GET/api/v1/assessments/:id/nutrients

Get the nutrient analysis for an assessment.

Example Response

{
  "nutrients": {
    "deficiencies": [ ... ],
    "excesses": [ ... ],
    "recommendations": [ ... ]
  }
}

GET/api/v1/assessments/:id/patterns

Get the diet pattern analysis for an assessment.

Example Response

{
  "dietPatterns": {
    "patterns": [ ... ],
    "concerns": [ ... ]
  }
}

GET/api/v1/assessments/:id/priorities

Get the priority matrix for an assessment.

Example Response

{
  "priorities": {
    "urgent": [ ... ],
    "important": [ ... ],
    "monitoring": [ ... ]
  }
}

Base URL

https://triagehealth.com/api/v1

All endpoints listed above are relative to this base URL.

Getting Started

Subscribe to the Clinic plan to enable API access.
Generate an API key from your Pro Settings page.
Include your key in the Authorization: Bearer <key> header on every request.
Start making requests to the endpoints above.

Questions? Contact us at info@triagemethod.com.

Compliance & Data Governance

TriageHealth is trusted by clinics and practitioners to process sensitive health data. This section outlines the compliance responsibilities for API consumers and the safeguards TriageHealth provides.

Your Responsibilities as an API Consumer

When you integrate with the TriageHealth API, it is important to understand the division of responsibilities for data protection:

TriageHealth provides the analytics engine and report generation. We act as a data processor on your behalf.
Your clinic or practice is the data controller for your clients' health data. You determine the purposes and means of processing.
As the data controller, you must ensure your own compliance with all applicable data protection regulations (HIPAA, GDPR, or other local laws).
You are responsible for obtaining appropriate consent from your clients and for informing them how their data is processed.

HIPAA Compliance (US Clinics)

The TriageHealth API processes health data through secure, encrypted channels (TLS 1.2+ in transit, AES-256 at rest). Clinics using the API for US-based patients must ensure their own HIPAA compliance across their entire technology stack.

Recommended Steps

Sign a Business Associate Agreement (BAA) with TriageHealth. Contact info@triagemethod.com to request one.
Ensure your own systems (EHR, databases, internal tools) are HIPAA-compliant before integrating.
Do not store TriageHealth API responses containing protected health information (PHI) in non-compliant systems.
Implement role-based access controls so that only authorised staff can access API data on your end.

GDPR Compliance (EU Clinics)

TriageHealth is based in Ireland and processes all data in accordance with the General Data Protection Regulation (GDPR). Our infrastructure stores data in the EU (Neon PostgreSQL, EU-West-2 region).

Key Points

A Data Processing Agreement (DPA) is available at /legal/dpa.
All client data is stored within the EU. No data is transferred outside the European Economic Area without appropriate safeguards.
Your clinic must have a lawful basis for processing client data (e.g., legitimate interest, explicit consent, or contractual necessity).
You must inform your clients that their data is processed by TriageHealth as a sub-processor, including details in your privacy notice.

AI Integration Compliance

Many clinics integrate AI assistants with the TriageHealth API to help interpret assessment data and generate patient-friendly summaries. If you plan to use AI services alongside our API, you must ensure compliant data handling at every step.

Using Claude (Anthropic)

Anthropic offers a BAA for HIPAA-covered entities using the Claude API.
Use the Claude API via Anthropic's standard endpoint ( api.anthropic.com ). Do not paste PHI into consumer chat interfaces.
Ensure your Anthropic organisation account has the BAA signed before sending any health data.
Example workflow: retrieve assessment data from the TriageHealth API, then pass the anonymised results as context to Claude for interpretation.

Using ChatGPT (OpenAI)

OpenAI offers a BAA for HIPAA-covered entities through their API platform.
Use the OpenAI API, not the ChatGPT web or mobile interface, when processing health data. The consumer product does not support BAAs.
Ensure your OpenAI organisation account has the BAA signed before sending any health data.
Configure data retention settings to the minimum required for your use case. Disable training on your data.

Using Gemini (Google)

For HIPAA compliance, use Google Cloud Vertex AI, not the consumer Gemini API or web interface.
Vertex AI supports BAAs through Google Cloud's standard healthcare compliance framework.
Use regional endpoints (e.g., us-central1) to maintain data residency requirements.
Authenticate via IAM service accounts rather than API keys for stronger access control and auditability.

General AI Integration Guidelines

Never send raw patient identifiers (full names, dates of birth, addresses, government IDs) to any AI service.
Use TriageHealth's anonymised assessment data wherever possible. Strip or tokenise identifying fields before forwarding to AI.
Implement audit logging for all AI-processed health data so you can demonstrate compliance during audits.
Ensure all AI-generated responses are reviewed by a qualified practitioner before being shared with patients. AI output should inform clinical judgement, not replace it.

Data Security Best Practices

Follow these practices to keep your integration secure and audit-ready:

Store API keys securely — use environment variables or a secrets manager. Never commit keys to source control.
Use HTTPS for all API calls — TriageHealth enforces TLS on all endpoints. Plaintext HTTP requests will be rejected.
Implement IP allowlisting where possible to restrict API access to known server addresses.
Rotate API keys periodically — at minimum every 90 days, and immediately if a key may have been compromised.
Log all API access for audit purposes. Maintain logs for at least the period required by your regulatory framework.
Minimise data caching — do not cache health data longer than necessary for your use case. Implement cache expiry policies.

Contact for Compliance

We are committed to supporting your compliance needs. Reach out to the appropriate contact below:

Topic	Contact
BAA requests	info@triagemethod.com
Data Processing Agreement	/legal/dpa
Data Protection Officer	info@triagemethod.com
General compliance questions	info@triagemethod.com