Skip to main content

Secure access to REDCap data through the API Token Vault

Sep 18, 2019

If you’ve ever been a part of a research team, you’ve likely faced the twin problems of where to keep your data, and how to keep it organized. Bob Davis, Director of Clinical Data Management for IU’s Department of Biostatistics, and his team support research and collaborative projects for a variety of organizations, including the IU School of Medicine, Nursing, Dentistry, as well as the Richard M. Fairbanks School of Public Health, IU Health, Eskenazi Health, and the Roudebush V.A. Medical Center. As you might imagine, keeping data accessible to and organized for the researchers who need it is a key consideration for his group.

The team, which includes Steve Brown, Greg Puetz, and Larry Riggen, was already making extensive use of REDCap, a secure, web-based platform designed to support data collection and management for a variety of projects, including research, operations support, and quality improvement. REDCap keeps each project’s data managed in a central location, and allows for manual data extraction, as needed. However, the team also recognized that using REDCap’s Application Programming Interface (API) to import and export data could potentially increase productivity, efficiency, and quality.

The API Token Vault team includes Steve Brown, Greg Puetz, and Larry Riggen. Photo courtesy of Bob Davis.

API’s are software intermediaries that allow applications to talk to each other directly, making it possible for programs outside of REDCap to import into it, and export data out of it without manual intervention. The data from these projects’ often include electronic Protected Health Information (ePHI), which means that REDCap application programming interface (API) tokens need to be secure.

Until recently, the process of obtaining a REDCap API token involved a twelve-page standard operating procedure (SOP) report to create and use a REDCap token for each project. Understandably, this document was a deterrent for many users. Since the team uses the service for so many projects, and did not want to develop an extensive SOP for each one, they began the process of creating a technological solution. Their solution, the API Token Vault, offers a way to store, manage, and access API tokens securely through a single repository. To meet stringent security requirements, the tokens are encrypted, accessible only through integrated authentication, and visible only to their user-owners.

The API tokens are highly useful to a variety of users, but particularly to those using SAS and R. The tokens make it possible for clients to leverage modules, macros, and functions within those languages, which “call” the database. Clients can embed these within their code, and when it runs, it automatically recognizes the user and authenticates the database. This allows the program to extract data, including ePHI, efficiently and securely. It uses the project’s unique ID, and connects it to the proper data within REDCap, and then proceeds with the processing of that data. 

To request a REDCap API token, check out the instructions on the Knowledge Base.

More stories