---
name: AdvancedMD API Access
description: AMD PM API endpoints, auth token format, and available APIs for Exult Healthcare
type: reference
---

AMD PM API for Exult Healthcare (office key 161112).

**How to apply:** Use these endpoints when querying patient data, appointments, or scheduling for Exult Healthcare.

## Authentication
- Login: https://login.advancedmd.com/ (user: GAUTAM, office: 161112, has 2FA via email)
- **REST API base** (as of 2026-04-05): `https://pm-api-137.advancedmd.com/api` — the `-137` suffix is the current cluster; `-106` was prior. AMD rotates these periodically. Alt host that works with same token: `https://ow2-pm-api-137.igw.advancedmd.com/api`
  - Auth: `Authorization: Bearer {token}` header
  - Accept: `application/vnd.advancedmd.api.v2+json,application/json`
- **XMLRPC (legacy `ppmdmsg`) endpoint** (verified 2026-04-05): `https://pm-wfe-137.advancedmd.com/practicemanager/xmlrpc/processrequest.aspx`
  - Auth: `<usercontext>{token}</usercontext>` element INSIDE the body (NOT Authorization header)
  - **REQUIRED header**: `Referer: https://static-100.advancedmd.com/` (CORS/origin check — 403 without it)
  - Content-Type: `application/xml` (for `<ppmdmsg ...>` XML) OR `application/json;charset=UTF-8` (for `{"ppmdmsg": {...}}` JSON)
  - The GAUTAM bearer token from REST works as the `usercontext` value for XMLRPC — same 70-char token serves both APIs
- Token format: `161112` + 64-char hex, 70 chars total (office_key + session hash)
- Official AMD API docs: https://ow2-help-01-prd.advancedmd.com/help//APIDocumentation/Content/Introduction.htm (login-gated; authenticated Playwright session required to reach)

## Key Endpoints (Read)
- `POST /api/lookup/patients?cboMode=false&advancedSearch=false` — Search patients by name. Body: `{"query":"..."}`. Returns patient list with phone numbers, DOB, chart number.
- `GET /api/scheduler/columns` — List all scheduler columns (providers/resources). Returns column IDs needed for appointment queries.
- `GET /api/scheduler/appointments?columnId={id}&startDate={date}&endDate={date}&forView=list` — List appointments for a column. Note: `patientId` filter on URL does NOT work; must fetch all and filter client-side.
- `GET /api/scheduler/patients/inactivestatuses` — Inactive patient statuses.
- `GET /api/system/startupvalues?forSpa=patientinfo` — System startup values.

## Key Endpoints (Write — requires explicit Gautam approval per request)
- `POST /api/scheduler/appointments` — Create appointment. Returns 201 on success. Required fields:
  ```json
  {
    "patientid": 17574797,
    "columnid": 3325,
    "profileid": 4579,
    "facilityid": 3197,
    "startdatetime": "2026-05-05T13:00:00",
    "duration": 20,
    "type": [{"id": 6614}],
    "istelemedicine": true,
    "episodeid": 17539507,
    "comments": ""
  }
  ```
  Key: `type` must be an array of objects with `id` (NOT `appointmenttypeids`). Common type IDs: 6614 = TH-MED MGMT F/U (telehealth follow-up, 20min), 6611 = in-person follow-up.

## Provider Column IDs (verified 2026-04-05, 14 columns total)
- 3325: DR. DEEPIKA BHARGAVA (M) — "Doctor B", profileid 4579, providercode BHAR00 (primary provider, ~53 appts/week sample)
- 3345: NGOMENI MBILIKIRA (S)
- 3351: SKYE TOLES (M)
- 3352: JERRITT TODD (M)
- 3355: APRIL DAVIS (M)
- 3358: RICK BINGHAM (M)
- 3366: NGOMENI MBILIKIRA (duplicate column)
- 3387: MCKINNEY IOP
- 3392: TECHS
- 3395: TRAINING ONLY
- 3396: BRIA HAWKINS
- 3407: VIVICA SNYPE-STEWART
- 3415: RHONDA EMMONS (S)
- 3694: VANAJAKSHI DATTATREYA

Q1 2026 volume: ~210-240 completed appts/week across all 14 cols → ~2700-3100 completed appts in Q1 2026. Clinic is much larger than single-provider assumption.

## Scheduler list endpoint GOTCHAS (verified 2026-04-05)
- `forView=week` is correct for ranges; `forView=day` returns single day only; `forView=list` returns subset (2 vs 53 observed); `forView=month` works for month ranges.
- **CRITICAL: `/api/scheduler/appointments` list endpoint FILTERS OUT statuses 4 (cancelled), 5 (no-show), 6 (rescheduled).** Observed statuses in ~440 records: {0:9, 1:23, 2:2, 3:316, 10:59, 12:48}. Status 3 (checked-out/posted) dominates. Zero `cancelnoshowreason` values returned.
- For cancellation/no-show counts, must use a different endpoint — likely the PM WFE "Missed Appointments" worklist panel route (needs network-trace capture) or legacy `/xmlrpc/processrequest.aspxx` with `getmissedappts` action.
- Detail endpoint `/api/scheduler/appointments/{id}` returns `creationdate` and `modifieddate` NOT present in list view — use for "appointment additions per day" metric.

## Dead endpoints (verified 2026-04-05, do NOT waste probe cycles)
- `/api/reminders` — 403 RBAC
- `/api/messages` — 404
- `/api/tasks` — 404
- `/api/worklist` — 403 RBAC
- `/api/audit` — 404
- `/swagger/v1/swagger.json` — 404
- `/api/patients?officeid=161112` — 404 (worked 2026-04-02, removed since)
- `xmlrpc/processrequest.aspxx` at pm-api-137 — 404 (correct host is `pm-wfe-137` not `pm-api-137` — see Authentication section)
- `providerapi.advancedmd.com/*` — 404 (host serves static only, 403 method not allowed)

## XMLRPC privilege denial (verified 2026-04-05)
Calling `getupdatedvisits` with the GAUTAM token returns HTTP 200 but a permission error:
```
{"Error":{"Fault":{"detail":{"description":"view updated vists",
  "extrainfo":{"permissiondetails":{"@user":"GAUTAM","@licensekey":"161112","@rolename":"ADMIN"}}}}}}
```
The `view updated visits` privilege is NOT exposed in the ADMIN role's UI privilege tree (283 L2 leaves searched — no match for "updated", "visit info", "fieldset", etc). These XMLRPC view privileges are ONLY attached to the `API FULL` and `API LIMITED` system roles.

**Blocker for self-service**: In the Create User dialog, `API FULL` and `API LIMITED` are `mat-option-disabled` / `aria-disabled="true"` — both role options are greyed out for GAUTAM (ADMIN / FULL ADMINISTRATOR). Only 2 API seats exist in the office (used by `ABS-AVMD API` and `ARCHEALTH API` users) — adding a third requires AMD support to provision another API seat. Cannot self-provision a new API service user via the UI.

**Workarounds**: (a) Contact AMD support to add a 3rd API seat for the agent. (b) Rotate the password on the existing `ABS-AVMD API` or `ARCHEALTH API` user (risk: breaks existing integrations using those accounts). (c) Stick to REST endpoints the GAUTAM/FULL ADMIN token already has (scheduler/appointments, lookup/patients, etc.) and accept that XMLRPC view actions are unreachable.

## Notes
- Patient search is name-based only (phone number search not supported directly)
- Patient records include: homephone, officephone, other (phone fields)
- Scheduler appointments require `columnId` and `forView` parameters
- Facility ID 3197 = Exult Healthcare (McKinney), facilitycode MCKIN
- AMD token is session-based from browser login, not a long-lived API key
- 2FA code auto-retrievable from Gmail MCP (from: noreply@advancedmd.com)