API Reference — NoteGate™ Compliance Authoring API

Authentication

API keys and OAuth 2.0

NoteGate supports two authentication methods: tenant API keys (for server-to-server integrations) and OAuth 2.0 client credentials (for CRM-side integrations where a token is exchanged per session).

Tenant API key

Issued per tenant via the admin dashboard. Pass in the Authorization header.

Request header

Authorization: Bearer ng_live_<your_api_key>
X-NoteGate-Tenant: <tenant_slug>

OAuth 2.0 client credentials

Use the token endpoint to exchange your client ID and secret for a short-lived access token (60 minutes). Suitable for CRM-side integration launches where context is passed per session.

curl example

curl -X POST https://api.notegate.com.au/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "scope": "notes:write mappings:admin"
  }'

Response

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "notes:write mappings:admin"
}

Endpoints

Available today

The following endpoints are available in production. Document only what exists: do not assume endpoints that are not listed below are available.

Note submission

Used at the final step of the compliance authoring workflow. Submits a completed compliant note. Returns the note ID and audit metadata. Also writes the note into the CRM via outbound webhook (when configured through the launch partner program).

POST /v1/notes

Submit a completed compliant note. Validates the note against scheme rules and participant-specific rules before persisting. Returns 422 if validation fails.

Tenant API key or OAuth 2.0 access token with scope notes:write

Request body (JSON)

{
  "participant_id": "p_abc123",
  "worker_id": "w_xyz789",
  "shift_id": "shift_def456",
  "sector": "ndis",
  "service_type": "daily_living",
  "shift_date": "2026-05-07",
  "shift_start": "09:00",
  "shift_end": "13:00",
  "structured_fields": {
    "mood": 3,
    "medication": "prompted_taken",
    "anxiety": 2,
    "mobility": "normal",
    "boc": "none",
    "engagement_level": "fully_engaged",
    "goals_addressed": ["goal_ind_meal_prep"]
  },
  "narrative": "At 08:00 the participant was administered lamotrigine..."
}

Response 201

{
  "note_id": "note_ghi012",
  "status": "submitted",
  "compliance_result": {
    "scheme": "ndis",
    "passed": true,
    "flags": []
  },
  "audit_trail_id": "audit_jkl345",
  "created_at": "2026-05-07T09:00:00.000Z"
}

curl example

curl -X POST https://api.notegate.com.au/v1/notes \
  -H "Authorization: Bearer ng_live_<key>" \
  -H "X-NoteGate-Tenant: yourtenantslug" \
  -H "Content-Type: application/json" \
  -d '{"participant_id":"p_abc123","worker_id":"w_xyz789","sector":"ndis",...}'

GET /v1/notes/:note_id

Retrieve a submitted note by ID. Includes the full structured fields, narrative, compliance result, and audit metadata.

Tenant API key with scope notes:read

curl example

curl https://api.notegate.com.au/v1/notes/note_ghi012 \
  -H "Authorization: Bearer ng_live_<key>" \
  -H "X-NoteGate-Tenant: yourtenantslug"

Field mapping administration

Define tenant-specific field name overrides. Your overrides take precedence over the built-in map on every authoring call. Required if your CRM instance uses non-standard field names.

POST /v1/admin/mappings

Create or replace the field mapping override set for this tenant. Idempotent: calling multiple times with the same payload has no additional effect. Returns the active mapping.

Tenant API key with scope mappings:admin

Request body (JSON)

{
  "crm_platform": "visualcare",
  "mappings": {
    "participant_id": "client_id",
    "note_content": "case_note_text",
    "shift_date": "appointment_date",
    "worker_id": "carer_id"
  }
}

curl example

curl -X POST https://api.notegate.com.au/v1/admin/mappings \
  -H "Authorization: Bearer ng_live_<key>" \
  -H "X-NoteGate-Tenant: yourtenantslug" \
  -H "Content-Type: application/json" \
  -d '{"crm_platform":"visualcare","mappings":{"participant_id":"client_id"}}'

GET /v1/admin/mappings

Retrieve the current field mapping override set for this tenant.

Tenant API key with scope mappings:admin

curl example

curl https://api.notegate.com.au/v1/admin/mappings \
  -H "Authorization: Bearer ng_live_<key>" \
  -H "X-NoteGate-Tenant: yourtenantslug"

Inbound note intake

Accepts a note payload directly from a CRM's existing API call, applies the tenant's field mapping automatically, and returns the authoring workflow launch token or the compliance result depending on the workflow mode.

POST /v1/inbound

Accept a note payload from a CRM in its native field format. NoteGate applies the tenant's field mapping automatically and routes to the authoring workflow or direct submission depending on the mode parameter.

Tenant API key with scope notes:write

Request body

{
  "mode": "authoring",
  "crm_payload": {
    "client_id": "p_abc123",
    "carer_id": "w_xyz789",
    "case_note_text": "...",
    "appointment_date": "2026-05-07"
  }
}

curl example

curl -X POST https://api.notegate.com.au/v1/inbound \
  -H "Authorization: Bearer ng_live_<key>" \
  -H "X-NoteGate-Tenant: yourtenantslug" \
  -H "Content-Type: application/json" \
  -d '{"mode":"authoring","crm_payload":{...}}'

Error reference

HTTP status codes and error bodies

All errors return JSON with an error string and a human-readable message field.

Status	Error code	Meaning
400	invalid_request	Malformed JSON or missing required fields.
401	unauthorized	Missing or invalid API key or access token.
403	forbidden	Token does not have the required scope.
404	not_found	The requested resource does not exist for this tenant.
422	compliance_failed	The note did not meet compliance requirements. The `flags` array in the response details each issue.
429	rate_limited	Rate limit exceeded. See `Retry-After` header.
500	internal_error	Server error. Retry with exponential backoff. Contact api@notegate.com.au if persistent.

Error response body example

{
  "error": "compliance_failed",
  "message": "Note did not meet NDIS Practice Standards requirements.",
  "flags": [
    {"field": "narrative", "code": "goal_evidence_missing", "message": "No goal-aligned evidence recorded."},
    {"field": "structured_fields.mood", "code": "required_field_missing", "message": "Mood score required for NDIS sector notes."}
  ]
}

Rate limits

Per-key limits

Rate limits apply per API key. Limits are subject to change as capacity scales. Contact api@notegate.com.au for higher limits.

Endpoint group	Limit	Window
POST /v1/notes	120 requests	Per minute
GET /v1/notes/:id	300 requests	Per minute
POST /v1/admin/mappings	10 requests	Per minute
POST /v1/inbound	120 requests	Per minute
POST /oauth/token	20 requests	Per minute

Coming Q2 2026

Planned endpoints

The following endpoints are on the roadmap for the full OpenAPI 3.1 release at api.notegate.com.au. They are not available today. Email api@notegate.com.au if you need early access.

POST /v1/inbound/launch-token — Issue a single-use launch token for CRM-side Shift Note button integration
POST /v1/notes/bulk — Bulk import endpoint for CSV-originated historical notes
GET /v1/audit-log — Retrieve the full audit log for a tenant, structured for SIEM export
GET /v1/participants/:id/notes — List all submitted notes for a participant

To be notified when the full spec is published, email api@notegate.com.au with the subject "OpenAPI spec notification".

Compliance Authoring API Reference

API keys and OAuth 2.0

Tenant API key

OAuth 2.0 client credentials

Available today

Note submission

Field mapping administration

Inbound note intake

HTTP status codes and error bodies

Per-key limits

Planned endpoints