Use the interactive documentation for the full, always-up-to-date list of endpoints and schemas:
Notes:
- We link out to interactive docs instead of embedding them directly into this Markdown to respect our strict Content Security Policy (no inline scripts in docs pages).
Authentication
The API uses named API keys issued through the MFA-protected web UI. API keys are not available to FREE tier accounts.
Obtaining an API key
- Log in to the web application and complete MFA verification.
- Navigate to Account โ API Keys.
- Click Generate new key, give it a descriptive name (e.g. "CI pipeline", "ETL script"), and optionally set an expiry date.
- Copy the key immediately โ it is shown once only and cannot be retrieved again.
Using an API key
Pass the raw key in the Authorization header:
curl -H "Authorization: Bearer ct_live_<your_key>" \
https://example.com/api/surveys/
Keys have the prefix ct_live_ so they are identifiable if accidentally committed.
Revoking an API key
Revoke a key at any time from Account โ API Keys. Revocation is immediate. Changing your password revokes all your keys.
Account tier requirements
| Tier | API access |
|---|---|
| FREE | โ No API access |
| PRO | โ Read-only; self-serve key generation |
| TEAM (any size) | โ Read-only; team admin generates keys |
| ORGANISATION | โ Read-only; org admin generates keys |
| ENTERPRISE | โ Read-only; org admin or SSO token exchange |
Available endpoints
The API is read-only. All write operations (survey creation, publication, membership management, user administration) are performed through the web UI.
| Method | Endpoint | Purpose |
|---|---|---|
GET |
/api/surveys/ |
List surveys accessible to the key |
GET |
/api/surveys/{id}/ |
Survey structure and metadata |
GET |
/api/surveys/{id}/metrics/responses/ |
Aggregate response counts (no PII) |
GET |
/api/datasets/ |
Dataset / dropdown data |
GET |
/api/datasets/{key}/ |
Single dataset |
GET |
/api/question-group-templates/ |
Published question group templates |
GET |
/api/question-group-templates/{id}/ |
Single template |
GET |
/api/health |
Health check (public, no auth required) |
GET |
/api/docs, /api/redoc, /api/schema |
Interactive API documentation (public) |
Permissions matrix (summary)
| Endpoint | Owner | Org ADMIN | Org CREATOR/VIEWER | No key / anonymous |
|---|---|---|---|---|
| Survey list | Sees own surveys | Sees all org surveys | Sees own surveys | Empty list / 401 |
| Survey retrieve | โ | โ | โ if member | 401 |
| Survey metrics | โ | โ | โ if member | 401 |
| Dataset list | โ (global + org) | โ (global + org) | โ (global + org) | Global only |
| Dataset retrieve | โ | โ | โ | โ (public datasets) |
| QG templates list | โ (global + own org) | โ (global + own org) | โ (global + own org) | 401 |
| QG templates retrieve | โ | โ | โ | 401 |
| Health check | โ | โ | โ | โ |
Dataset permissions
The datasets API (/api/datasets/) provides read-only access to shared dropdown option lists. See the Dataset API Reference for details.
- Anonymous / no key: global datasets only (
is_global=True) - Authenticated key holders: global datasets + their organisation's datasets
- NHS Data Dictionary datasets (
category=nhs_dd): read-only for all; cannot be modified via the API
Error codes
- 401 Unauthorized โ missing, invalid, revoked, or expired API key
- 403 Forbidden โ authenticated but not authorized (FREE tier, or insufficient role on object)
- 404 Not Found โ resource doesn't exist
- 405 Method Not Allowed โ only GET requests are accepted on all endpoints
Throttling
- Enabled via DRF:
AnonRateThrottleandUserRateThrottle. - Rates configured in
checktick_app/settings.pyunderREST_FRAMEWORK.DEFAULT_THROTTLE_RATES. - The
/api/tokenendpoint (legacy, not yet removed) is additionally throttled at 5 requests/minute per IP.
CORS
- Disabled by default. To call the API from another origin, explicitly set
CORS_ALLOWED_ORIGINSin settings.
Encryption and read-only scope
The API is restricted to survey structure and aggregate response counts. Neither of these involves encryption material:
- Survey structure (
/api/surveys/) contains question metadata only โ no responses or PII. - Response metrics (
/api/surveys/{id}/metrics/responses/) returns counts only โ no individual responses.
All encryption configuration, survey publication, and data export remain web-UI-only operations.
Example curl snippets
See Authentication & Permissions for a complete guide to API key generation and usage.
Question Group Template Library API
The Question Group Template API (/api/question-group-templates/) provides programmatic access to the template library for browsing and publishing reusable question group templates.
Endpoints
List Templates
GET /api/question-group-templates/
Returns a list of published question group templates visible to the authenticated user.
Access Control:
- Users see global templates (publication_level='global')
- Users see organisation-level templates from their own organisation(s)
Query Parameters:
publication_level(string): Filter by 'global' or 'organisation'language(string): Filter by language code (e.g., 'en', 'cy')tags(string): Comma-separated list of tags to filter bysearch(string): Search in template name and descriptionordering(string): Order results by 'name', '-name', 'created_at', '-created_at', 'import_count', or '-import_count'
Response: Array of template objects with fields:
id: Template IDname: Template namedescription: Template descriptionmarkdown: Markdown representation of questionspublication_level: 'global' or 'organisation'publisher_username: Username of publisherorganization_name: Name of organisation (for org-level templates)attribution: Attribution metadatatags: Array of tagslanguage: Language codeimport_count: Number of times importedcan_delete: Boolean indicating if current user can delete this templatecreated_at: Creation timestampupdated_at: Last update timestamp
Example:
curl -H "Authorization: Bearer <token>" \
"https://example.com/api/question-group-templates/?publication_level=global&language=en"
Retrieve Template
GET /api/question-group-templates/{id}/
Returns detailed information about a specific template.
Access Control: Same as list endpoint (global + own org templates only)
Example:
curl -H "Authorization: Bearer <token>" \
"https://example.com/api/question-group-templates/123/"
Permission Matrix
| Action | No key / anonymous | API key holder |
|---|---|---|
| List templates | โ | โ (global + own org) |
| Retrieve template | โ | โ (global + own org) |
Publishing question group templates is a write operation and is performed through the web UI only (
/surveys/question-group-templates/publish/).