Webhooks allow you to build or set up integrations which subscribe to certain events on the Elation Platform without polling our API for changes. When one of those events is triggered, we’ll send a HTTP POST payload to the webhook’s configured URL.
You can programmatically register your event listener (e.x. webhook URL) using The Event Subscription API.
Prevent Echo Note that updates made by an application will not trigger webhook callbacks to the same application.
Supported models
At the moment, you will receive events for the following models:
| Model | event name |
|---|
| Appointment | appointments |
| Allergies | allergies |
| Bill | bills |
| Cardiac Orders | cardiac_orders |
| Clinical Documents | clinical_documents |
| Delegate Permissions | delegate_permissions |
| Document Tags | document_tags |
| Drug Intolerances | drug_intolerances |
| Imaging Orders | imaging_orders |
| Immunizations | immunizations |
| Incoming Files (fax) | incoming_files |
| Insurance companies | insurance_companies |
| Insurance plans | insurance_plans |
| Lab Order Sets | lab_order_sets |
| Lab Order Tests | lab_order_tests |
| Lab Order | lab_orders |
| Lab Vendor Patient Sites | lab_vendor_patient_sites |
| Lab Vendors | lab_vendors |
| Letters | letters |
| Medications | medications |
| Message Threads | message_threads |
| Non-visit Notes | non_visit_notes |
| Office Staff | office_staff |
| Patient | patients |
| Patient Photo | patient_photos |
| Physicians | physicians |
| Problems | problems |
| Pulmonary Orders | pulmonary_orders |
| Referral Orders | referral_orders |
| Reports | reports |
| Service Locations | service_locations |
| Sleep Orders | sleep_orders |
| Staff Groups | staff_groups |
| Thread Member | thread_members |
| Thread Message | thread_messages |
| Visit Notes | visit_notes |
| Vitals | vitals |
| History | histories |
| Family History | family_histories |
Event payload
When an event is triggered, the webhook POST body contains a JSON object with the following fields. See The Event Object for full details.
| Field | Type | Description |
|---|
data | object | The resource object. |
action | string | saved or deleted. |
event_id | integer | The event id to reference this request. |
event_uuid | string | A UUID7 identifier for this event. |
application_id | integer | The OAuth2 application client id. |
resource | string | The resource type (e.g. patients). |
resource_url | string | null | Optional URL to retrieve the resource payload for large resources. |
New fields event_uuid and resource_url are new additions to the webhook payload. event_uuid is a UUID7 identifier that will eventually replace event_id. resource_url will be offered in the future for resources with very large payloads as an alternative to embedding the full object in data.
Acknowledging events
We are expecting status code 200 when we POST the event payload to your webhook URL. We will retry the POST for up to 72 hours until we get a status code 200 response.
Webhook Signatures
Elation’s webhook requests are signed using the Ed25519 digital signature scheme. The base64 encoded signature can be found in the El8-Ed25519-Signature request header. The base64 encoded signing key for your webhook subscription can be in the signing_pub_key field in the response from the Subscription endpoint.
Libraries exist for all common programming languages that support the verification of Ed25519 signatures.
Trusted IP addresses
If you want to whitelist the source of webhook traffic at the network level in addition to (or instead of) verifying the signature, webhook requests originate from the following IP addresses:
| Environment | Trusted IP addresses |
|---|
| Production | 54.193.219.231/32, 54.176.82.72/32 |
| Sandbox | 54.70.45.237/32, 54.218.138.201/32 |
Contact Elation Support if you need the current trusted IP addresses for the stage environment. Elation notifies designated technical contacts at least 10 business days in advance of any change to these IP addresses — if you’re relying on IP whitelisting, make sure Elation has a technical contact on file to receive that notice.
Example Implementation
The following is an example implementation, using Flask and PyNaCl.
from flask import Flask, request
from nacl.signing import VerifyKey
from nacl.encoding import Base64Encoder
# This base64 encoded value is obtained from the Subscription endpoint
verify_key = VerifyKey("8gUqjclkmFz6AFVB05RpWDYwTxR5MzsLzJnwZ9MlYCw=", encoder=Base64Encoder)
app = Flask(__name__)
@app.route("/", methods=["POST"])
def test_verification():
b64_signature = request.headers["El8-Ed25519-Signature"]
signature = Base64Encoder.decode(b64_signature)
message = request.get_data()
# verify() raises an exception if verification fails
verify_key.verify(message, signature)
return "Signature Verified"