Full Fabric Public API
The Full Fabric API is organised around REST. It has predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes and verbs.
Base URL
Every request is scoped to your institution's subdomain:
https://{subdomain}.fullfabric.cloud
Replace {subdomain} with your institution's identifier — for example, https://primrose.fullfabric.cloud.
Authentication
The API uses token-based authentication. Include your secret token in every request using the FF-Auth header:
curl https://primrose.fullfabric.cloud/apis/institutions/institution \
-H "Accept: application/json;version=2021-04-13" \
-H "FF-Auth: YOUR_SECRET_TOKEN"
Your API token carries full read/write access to your institution's data. Keep it secret — never expose it in client-side code, public repositories, or logs. Access tokens are provisioned by the Full Fabric support team.
All requests must be made over HTTPS. Plain HTTP calls will fail.
Versioning
All requests require an API version. Specify it via the Accept header:
Accept: application/json;version=2021-04-13
Or via a dedicated header:
X-API-Version: 2021-04-13
Accept: application/json
When we make backwards-incompatible changes to the API, we release a new dated version. Pin your integration to a specific version to avoid unexpected breakage.
Pagination
List endpoints return paginated results. Use limit (1–100, default 10) and skip to page through them:
curl "https://primrose.fullfabric.cloud/apis/profiles/profiles?limit=25&skip=50" \
-H "Accept: application/json;version=2021-04-13" \
-H "FF-Auth: YOUR_SECRET_TOKEN"
File Downloads
Files attached to profiles, applications, and form submissions are served from a separate file endpoint. Pass your token via the FF-Auth header:
curl https://primrose.fullfabric.cloud/files/{path}.{extension} \
-H "FF-Auth: YOUR_SECRET_TOKEN"
Request IDs
Every API response includes a X-Request-Id header. If you need to report a problem, include this value — it's the fastest way to trace a specific request.
Errors
Full Fabric uses conventional HTTP status codes to indicate the success or failure of a request. Codes in the 2xx range indicate success. Codes in the 4xx range indicate a problem with the information provided. Codes in the 5xx range indicate an error on our servers (rare).
| Code | Meaning |
|---|---|
200 |
OK — the request succeeded |
400 |
Bad Request — a required parameter is missing or malformed |
401 |
Unauthorized — no valid API token was provided |
402 |
Request Failed — parameters were valid but the request could not be completed |
403 |
Forbidden — the token does not have permission for this action |
404 |
Not Found — the requested resource does not exist |
422 |
Unprocessable Entity — the request was understood but failed validation |
429 |
Too Many Requests — you have exceeded the rate limit |
5xx |
Server Error — something went wrong on our end |
Errors return a JSON body with a message field describing what went wrong. Validation errors (422) also include an errors array with field-level detail.
Rate Limiting
To maintain reliability for all integrations, the API enforces rate limits per token:
| Window | Limit |
|---|---|
| Per 8 seconds | 40 requests |
| Per 60 seconds | 180 requests |
| Per hour | 10,000 requests |
When you exceed a limit, the API returns 429 Too Many Requests. Check the Retry-After response header for the number of seconds to wait before retrying. To avoid hitting limits, make requests for a single token serially and wait at least 1 second between write operations.