FAQ
General
Can I integrate any GipoNext feature via API?
No. The APIs cover a specific scope. Before estimating time and cost, verify available resources and operations in Entities and operations and API reference.
Does GipoNext also build my client's integration?
No. GipoNext provides the platform, technical onboarding, OAuth approval, and targeted support. Delivery and maintenance of the integration remain the System Integrator's responsibility.
Is there a sandbox environment for development?
Yes. You can request a sandbox tenant and populate it freely with fictitious data for development. Access to real data requires explicit involvement of the medical centre. You can complete the full development and testing cycle without touching production data.
What is the recommended sequence to get started?
Use this progression:
- Getting started for onboarding and responsibilities.
- Register your application for OAuth provisioning.
- OAuth flows and tokens for the technical flow.
- Entities and operations for the API functional map.
How do I contact support if I have issues?
Write to support contacts. Always include: called endpoint, received HTTP status code, response body, and request timestamp.
Authentication and OAuth
Is client_id and client_secret enough to access data?
No. You need both application identity (OAuth client) and user login. Tenant and permissions depend on the authenticated user. See Developer credentials and system access credentials.
Is there a "global" integrator token?
No. There is no token with cross-tenant access. Each token represents a user and that user's permissions.
How long does an access token last?
The access token has a limited lifetime. When it expires, the APIs respond with 401 Unauthorized. Use the refresh token to obtain a new one without forcing the user to log in again. See OAuth flows and tokens.
Can the refresh token expire?
Yes. A refresh token can become invalid for several reasons: user revocation, prolonged inactivity, account deactivation, or exceeding the active token limit. In this case, the user must perform a full login again.
Can I use Client Credentials flow (machine-to-machine)?
No. GipoNext APIs always require an authenticated user context. Supported flows are Authorization Code and Device Code.
See OAuth flows and tokens, especially the section on background services.
Data and formats
What date format is used in responses?
Dates are in ISO 8601 format (for example 2025-03-15T10:30:00Z). Use a date parsing library to handle them correctly in your language.
Can responses include fields I do not know?
Yes. APIs can add new fields at any time (additive changes). Your client must safely ignore unknown fields. Do not validate responses rigidly. See Change management.
Which encoding do the APIs use?
All responses are JSON with UTF-8 encoding.
Operations
How should I handle traffic limits?
Implement retry with backoff and respect Retry-After when you receive 429. See Rate limiting.
How should I handle pagination and large syncs?
Iterate pages using hasMore as exit condition and do not assume static datasets. See Pagination.
What happens when I get 400 or 422?
The response body contains error details (message and, when available, errors with field-level details). Read the body to understand what to fix. See Error handling.
Can I send requests in parallel?
Yes, but with moderation. All requests from the same application (same client_id) share the same rate-limit counter, regardless of user. If you send too many requests in parallel, you can hit the limit. See Rate limiting.
Which TLS requirements must I meet?
Connections must use TLS 1.2 as minimum version, with one of the supported cipher suites. See TLS.