Working …
This value you provided is not a number. Please try again.
This value you provided is not an integer. Please try again.
The value entered is not a valid Vanderbilt Medical Record Number (i.e. 4- to 9-digit number, excluding leading zeros). Please try again.
The value you provided must be within the suggested range
The value you provided is outside the suggested range
This value is admissible, but you may wish to double check it.
The value entered must be a time value in the following format HH:MM within the range 00:00-23:59 (e.g., 04:32 or 23:19).
This field must be a 5 or 9 digit U.S. ZIP Code (like 94043). Please re-enter it now.
This field must be a 10 digit U.S. phone number (like 415 555 1212). Please re-enter it now.
This field must be a valid email address (like joe@user.com). Please re-enter it now.
The value you provided could not be validated because it does not follow the expected format. Please try again.
Required format:
REDCap
My Projects
Control Center

General API Info

Introduction
Obtaining API Tokens
API Error Codes & Responses
API Security & Best Practices
API Examples

Supported Methods

Arms
Export Arms
Import Arms
Delete Arms
Data Access Groups
Export DAGs
Import DAGs
Delete DAGs
Switch DAG
Export User-DAG Assignment
Import User-DAG Assignment
Events
Export Events
Import Events
Delete Events
Field Names
Export List of Export Field Names
Files
Export a File
Import a File
Delete a File
File Repository
Create a New Folder in the File Repository
Export a List of Files/Folders from the File Repository
Export a File from the File Repository
Import a File into the File Repository
Delete a File from the File Repository
Instruments
Export Instruments (Data Entry Forms)
Export PDF file of Instruments
Export Instrument-Event Mappings
Import Instrument-Event Mappings
Logging
Export Logging
Metadata
Export Metadata (Data Dictionary)
Import Metadata (Data Dictionary)
Projects
Create Project
Import Project Info
Export Project Info
Export Project XML
Records
Export Records
Import Records
Delete Records
Rename Record
Generate Next Record Name
Randomize Record
Repeating Instruments and Events
Export Repeating Instruments and Events
Import Repeating Instruments and Events
Reports
Export Reports
REDCap
Export REDCap Version
Surveys
Export a Survey Link
Export Survey Participants
Export a Survey Queue Link
Export a Survey Return Code
Users & User Privileges
Export Users
Import Users
Delete Users
User Roles
Export User Roles
Import User Roles
Delete User Roles
Export User-Role Assignment
Import User-Role Assignment
REDCap API Documentation

Although API requests to REDCap are done using SSL (HTTPS), which means that the traffic to and from the REDCap server is encrypted, there is still more that can be done to ensure the highest level of security when using the API. This is especially important if you are moving sensitive data into or out of REDCap. One thing that is *highly* recommended is for your API script/program (i.e. the thing making the request to the REDCap API) to validate the SSL certificate of the REDCap web server when it makes the API request.

Background on SSL certificates:

Web servers have SSL certificates so that their identity can be validated and thus trusted, after which secure, encrypted communication can take place with the server. The reason it is important to validate the server's SSL certificate is because it is possible (although extremely rare) to be the victim of a Man in the Middle Attack even when your web traffic is secure over SSL/HTTPS. A Man in the Middle (MiM) attack can be performed by a hacker who impersonates the REDCap web server using a fake/invalid SSL certificate. In this way, it is possible for your API script to think that the hacker is really the REDCap server and thus unwittingly send your request not to REDCap but to the hacker, in which he/she can actually see the contents of your request, including your API token, and then use your token to impersontate you to make API requests to REDCap in the future as if they were you.

How to prevent Man in the Middle attacks:

Preventing MiM attacks is pretty simple. Essentially all you need to do is to force your API script to validate the SSL certificate of the REDCap server. REDCap's SSL certificate will always be valid, but the hacker's fake certificate can never be determined to be valid if you attempt to validate it. In many programs or programming languages that can make API requests, validating an SSL certificate is often as easy as setting a flag. For example, cURL is popularly used by many API scripts in programming languages such as PHP, R, SAS, and many more in order to make the web request to REDCap. So if your API script is utilizing cURL, all you need to do is modify your script so that it sets the cURL option named CURLOPT_SSL_VERIFYPEER to have a value of TRUE. Once done, your API script will attempt to make the API request to REDCap *only* if it can validate REDCap's SSL certificate. Thus by adding the SSL certificate check, you have completely prevented the possibility of MiM attacks and are using the most secure form of communication with the REDCap API. If you are not using cURL, there are plenty of other examples on the web for how to validate an SSL certificate in different programming languages. Such examples can be found simply by Googling the name of your programming language + 'verify ssl certificate' (e.g., 'Java verify ssl certificate'), which should provide you with many helpful results.

REMINDER:

Please remember that while REDCap itself has many security layers to help protect you and to ensure the highest level of security and data integrity, it is *your* responsibility to ensure that you are using the most secure methods and best practices when using the REDCap API.

REDCap Software - Version 14.9.1 - © 2024 Vanderbilt University