Search the OSCAR Documentation
< All Topics


Share this

Documentation Copyright © 2024 Adrian Starzynski. Some content from other creators see Credits


OSCAR supports REST and SOAP connections. However, you’ll need to use REST for performing some operations that require a higher security level.


Read more about SOAP vs. REST

APIs provide various endpoints to access clinical data in JSON and XML formats. Although it’s a matter of personal preference, in general, REST services are the recommended approach for the sake of simplicity, performance and scalability. The table below summarizes some of the key differences between the REST and SOAP APIs

AuthenticationWS-SecurityOAuth 1.0a
Data FormatOnly XML.Plain text, HTML, XML, JSON, YAML, and others.
PerformanceLess reliable than REST and consumes more resourcesBetter performance and reliability compared to SOAP
ApproachFunction-driven (data available as services, e.g.: “getAllergy”)Data-driven (data available as resources, e.g. “user”).
StatefulnessStateless by default, but it’s possible to make a SOAP API stateful.Stateless (no server-side sessions).
CachingAPI calls cannot be cached.API calls can be cached.
OverallHigh security, standardized, lower performance, more complexity, less flexibility.Scalability, better performance, browser-friendliness, flexibility.

REST API Reference

OSCAR exposes it’s web services to authorized users only. Apps must be registered on the OSCAR it would like to integrate with and it’s not the app that “logs in”, it’s the provider.

The provider will login directly into OSCAR, which will generate a token for the app to make further calls.

The protocol implemented in OAUTH 1.0a ( (OSCAR uses OAUTH 1.0a for REST authentication)

The full OSCAR EMR REST API reference is available here.


Every demographic record must have a parallel admission record. The programID is used when there are multiple clinics. It’s part of the old CAISI code.

The programID comes from the program table.
select id from program where name = ‘oscar’;
It’s usually 10016 by default. When creating demographic through REST API, you may need to adjust this to the id from the query that other demographics have, otherwise it won’t be viewable by users in OSCAR.


To configure your application to work with OSCAR via REST API, follow the steps1:

1. Enable the REST API in OSCAR for connecting apps. In the file of the OSCAR system, find the line “ModuleNames=” and add REST to it. If it does not exist simply add like below (or just uncomment the line if it exists commented):
(then restart Tomcat)

2. Register the app with OSCAR through the Administration interface.
Go to Administration>Integration>REST Clients

3. Click “Add New
Enter a valid URI for the application (must be the base URL of your web application), and a Token Lifetime. You can enter a Token Lifetime of -1 if the token shouldn’t expire (this is the most common setting for integrations).

4. Use the Client Key and Client Secret in your app’s OAUTH initialization.

Sample OAUTH 1.0a Workflow1

1. Client makes a REST call including proper “Authorization” header.  (for example:

2. OSCAR will either return the results of the call (regular 200 HTTP status) or a 401 requiring the user to authorize with OSCAR first. Assuming we get the 401,

3. Client will initiate the OAUTH 1.0a flow by calling initiate ( Make sure the client properly manages any cookies as well. This call will also include the callback URL to your application. This will get called when the OAUTH workflow is completed. This will return you a Request Token.

4. Client now redirects user to<request_token>. 

5. User authorizes with OSCAR

4. User is redirected to the Callback URL of your application (specified in the initiate, and must be within the URI of the registered application). The URL will have parameters for the oauth_token and oauth_verifier.

5. Client requests an access token from

6) Client makes REST calls using Authorization header with access token.

REST Services

OSCAR offers a multitude of RESTful web services. Here is the standard list of RESTful web services that are available in 99% of all OSCAR systems:





/demographics/ POST/DELETE






-Patient Detail Status


/pharmacies (POST/PUT/DELETE)

-Product Dispensing





-RSS Feed




Note that some OSCAR versions have slightly different content-type requirements for certain endpoints. For example, some OSCAR systems only accept content-type:application/xml for some endpoints while others have been updated to accept content-type:application/json. You can find out based on the OSCAR version’s REST Java Files.

OSCAR Source Code REST Java Files

OSCAR 19’s Java source code files for the REST endpoints:
oscaremr / oscar / src / main / java / org / oscarehr / ws / rest — Bitbucket

Full List of Web Services

Whether you’re developing a SOAP or REST integration with OSCAR, you can go to your OSCAR server base URL /ws to see the WSDL (SOAP API definition) and WADL files for all the services offered on that particular OSCAR version. OSCAR vendors have added their own additional features/fixes to their version’s API.


For a zip file with the example WADL files of the RESTful services click here

Click the above link to get the WADL files that describe the REST services available on most OSCAR versions. Some vendors have added additional functionality/endpoints (check your OSCAR system’s /oscar/ws link for the exact specifications for your version).

SOAP Services

This page lists all the available SOAP services in OSCAR (note: some OSCAR vendors may not include some of these, or have slightly different definition).

OSCAR publishes SOAP WSDL’s so you’re able to generate stubs off those ( Standard SOAP data types and (only standard SOAP types) are used and WS-Security is used for security. You can import the WSDL’s to Postman for testing, but the request bodies will need some modifications.

The web service endpoints are stateless so you need to set the WS-Security for each request made.

The SOAP web services are intended for server to server communications, not server to browser.

These SOAP services are intended to be compatible with all programming languages (so don’t try and send java.util.Collections objects like List or Map, they will not unmarshall properly in different frameworks).

For versioning of methods and transfer objects, the latest version number is appended to the method/object name, i.e. login(), login2(), login3() etc. In general you should use the latest / largest version number of any method or object that you can find. The older methods and objects are deprecated.

OSCAR uses Apache CXF for the SOAP implementation.

OSCAR 19’s Java source code files for the SOAP endpoints:
oscaremr / oscar / src / main / java / org / oscarehr / ws — Bitbucket

SOAP Authentication

Authentication validation is done on a per-request basis against the Security table on the ID and password (not username). This is for efficiency purposes and immutability purposes of the ID. To get the ID some one can always use the LoginWs first which should supply you with the ID from the username. The LoginWs may also provide you with a security token which can then be used in place of the password.2

Sample getDayWorkSchedule SOAP API request

Here’s a sample SOAP API request to get a provider’s schedule availability with template codes (getDayWorkSchedule) as there is no endpoint for this action in the REST API. This is the endpoint that online booking systems use to query when a provider is available for booking, for example.

HTTP POST https://localhost/oscar/ws/ScheduleService
Headers: Content-type:text/xml; charset=utf-8

Request Body:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="" xmlns:ws="" xmlns:wsse="" xmlns:wsu="">
                <wsse:Password Type="">{{LoginPassword}}</wsse:Password>


  • {{LoginSecurityRecordNo}} needs to be replaced with the security_no – this is the ID of the login user from the security table (find it by running DB query: select * from security) | OR you can get it from the LoginWs (will return securityId)
  • {{LoginPassword}} needs to be replaced with the password of the user you’re logging in with (the user from security_no) | OR you can use LoginWs which will return securityTokenKey from username and password supplied

Sample Response for getDayWorkSchedule

<soap:Envelope xmlns:soap="">
        <ns2:getDayWorkScheduleResponse xmlns:ns2="">


  • getDayWorkSchedule returns the available timeslots for the provider based on template codes (scheduleCode) configured in the schedule template for that day
  • The template codes are returned in ASCII format
    • Ex: <scheduleCode>49</scheduleCode> means the template code is 1 because 49 represents 1 in ASCII

Sample login2 SOAP API request

HTTP POST https://localhost/oscar/ws/LoginService
Headers: Content-type:text/xml; charset=utf-8

Request Body:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="">
    <login2 xmlns="">
      <arg0 xmlns="">{{LoginUsername}}</arg0>
      <arg1 xmlns="">{{LoginPassword}}</arg1>

Sample Response for login2

<soap:Envelope xmlns:soap="">
        <ns2:login2Response xmlns:ns2="">


  • You can use the securityId and securityTokenKey returned for the WS-Security authentication in your SOAP requests (wsse:Username, wsse:Password). OR you can just supply the security_no and password of the user.
  • There is also an older endpoint ‘login’ which only returns securityId and securityTokenKey, without any other information about the provider.


  1. Part of the REST configurationm Sample OAUTH Workflow, some info on Oscar’s SOAP is from Marc Dumontier’s original article “Connecting to OSCAR’s REST API” (publish date unknown).
  2. oscaremr / oscar / src / main / java / org / oscarehr / ws / — Bitbucket

The rest is by Adrian Starzynski

Table of Contents