Empower Pharmacy | Introduction to Empower APIs

Getting started

Introduction to Empower Pharmacy APIs

The Empower Pharmacy™ API platform gives you direct access to the nation's largest compounding pharmacy infrastructure — programmatically. Our mission is to make high-quality compounded medications more accessible to patients everywhere, and we believe open, reliable APIs are central to making that happen.

We're excited to have partners like you who are looking to transform the patient medication experience. This API is central to our business and we can't wait for you to get started. We hope your integration is smooth — and if you have questions at any point, please reach out to our Partner Success team.

Get started with Ordering APIs → Get started with Patient APIs →

What is an API?

If you're thinking of active pharmaceutical ingredient — you wouldn't be wrong! Here though, we're focused on technology APIs and how they can transform the way your patients access compounded medications.

The Empower Pharmacy API is a powerful, robust RESTful JSON-based API. It gives you the ability to tap into our compounding pharmacy infrastructure — submitting orders, managing patient records, tracking fulfillment, and receiving real-time status updates, all from within your own platform.

This guide will walk you through the essentials: how to authenticate, how to make requests, how to handle responses, and how to set up webhooks so your system stays in sync with ours. You can also dive into our full API reference documentation at any time.

New to REST APIs?

No problem. Download our Postman collection to explore every endpoint with pre-built example requests — no code required to get started.

HIPAA and security

Overview

Empower Pharmacy takes the security and confidentiality of protected health information (PHI) seriously. We ensure your data integrity is a top priority — from the moment you initiate an API request, all the way to when your patient receives their medication.

Empower maintains a comprehensive set of policies and procedures to safeguard our physical and technical infrastructure and remain compliant with the HIPAA Privacy Rule, Security Rule, Transactions and Code Sets Rule, and their implementing regulations. Empower Pharmacy is a Covered Entity. For more information, Empower also publishes a Privacy Policy, Notice of Privacy Practices, and Terms and Conditions.

All API requests are transmitted over TLS 1.2 protocol. All data is encrypted in transit and at rest using trusted, HIPAA-compliant cloud infrastructure.

Business associate agreement

Empower uses a standard Business Associate Agreement (BAA) with our integration partners. Customized agreements may be available for large health systems, telehealth platforms, or enterprise clinic groups. Your BAA must be fully executed before production credentials are issued.

Security assessments

Security, privacy, and regulatory compliance are core pillars of our business. We maintain an active internal review program and engage professional third-party auditors to evaluate the effectiveness of our controls on an ongoing basis.

We welcome our partners to conduct their own assessments, including security audits, site reviews, and other due-diligence measures. Questions or concerns about our security or privacy program can be directed to our Privacy Officer at privacy@empowerpharmacy.com.

Authentication

The Empower API uses key-based authentication. Requests are authenticated using basic access authentication — provide your API key in an Authorization HTTP header for all requests. If you do not pass a valid API key, your requests will not authenticate successfully.

Your API key is provisioned during onboarding. You will receive two unique keys: a sandbox key for development and testing, and a production key for live operations. Keep both secure and never expose them in client-side code or public repositories.

HTTP

Authorization: Bearer YOUR_API_KEY
Content-Type:  application/json

If authentication fails, the API returns a 401 Unauthorized response. Verify your key is correct, you're pointing at the right environment, and the key hasn't been rotated or revoked.

JSON — 401 response

{
  "status": "error",
  "code":   401,
  "error": "Unauthorized — invalid or missing API key",
  "meta":  { "request_id": "req_Jk9pR4tY" }
}

Authentication API reference »

Making requests

In order to access the Empower API, you'll need an API key provisioned during onboarding. Following RESTful design patterns, the Empower API implements standard HTTP actions: GET, POST, PUT, DELETE. Arguments can be passed as params, form data, or JSON with the correct Content-Type header.

Requests must be made over HTTPS. Any non-secure HTTP requests will not be redirected — they will be rejected outright.

Base request URL

https://api.empowerpharmacy.com/

Example request

cURL

curl -X POST https://api.empowerpharmacy.com/v1/orders \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "patient_token": "pt_abc123",
    "prescription_token": "rx_xyz789",
    "shipping_method": "standard"
  }'

Response format

Every response — success or error — uses the same JSON envelope, so your integration always knows what to expect:

JSON

{
  "status":  "success",
  "code":    200,
  "data":   { /* resource object or array */ },
  "error":  null,
  "meta": {
    "request_id": "req_8Fa2cX9m",
    "timestamp":  1716400012
  }
}

Webhook events

Overview

Webhook events are how Empower communicates all asynchronous status changes related to your API requests. As part of your integration, you'll set up an HTTPS webhook URL that Empower will POST updates to — so your system always knows what's happening with an order, prescription, or patient record without having to poll.

Webhook events send the latest known data for a request at the time of sending. This guarantees you receive the most up-to-date status for any request, the moment it changes.

Managing your webhook endpoint

You can set, manage, and update your webhook URL in your developer account or through our customer endpoints. Using webhooks is optional, but strongly recommended — it's the only way to receive real-time status changes for all your requests.

Securing your webhook endpoint

You can secure your webhook endpoint using basic access authentication, where Empower will include a key in the Authorization header of every POST request to your endpoint. Alternatively, you may whitelist the Empower IP address range. Both measures are highly recommended.

Token management

Webhook events return token representations of objects — such as patient_token and prescription_token — rather than raw identifiable data. Using tokens limits the amount of patient-identifiable information transmitted over webhook events and keeps your integration HIPAA-friendly by design.

Request vs. notify webhook events

There are two types of webhook events sent by the Empower system. Request events are asynchronous events that always reference a request ID from a previous call you made. Notify events are not tied to a specific request but may be relevant to your workflow — for example, a new prescription arriving for one of your patients.

JSON — Shipment webhook event

{
  "request_id":    "fill_request_991e90fa6b367cf72032",
  "timestamp":     1590800222,
  "callback_type": "SHIPMENT",
  "status":        "success",
  "details": {
    "status":          "DELIVERED",
    "message":         "Your shipment has been delivered.",
    "tracking_number": "43904456187100000000000000",
    "carrier":         "usps"
  }
}

JSON — Prescription notify event

{
  "timestamp":     1581019462,
  "callback_type": "NOTIFY_RX",
  "details": {
    "medication_name":    "Semaglutide 2.5 mg/mL injection",
    "prescriber":         "Dr. Jane Smith",
    "prescription_token": "rx_z3q2jr",
    "patient_token":      "pt_4526d90a"
  }
}

Webhook events API reference »

Errors

Our API returns standard HTTP success or error status codes. For errors, we also include additional information about what went wrong, encoded in the response as JSON. The various HTTP status codes we might return are listed in our API reference.

Additionally, different API endpoints have specific errors and error codes. These are covered in detail throughout this guide and in our full API reference.

Code	Meaning	Common cause
`200`	OK	Request succeeded.
`201`	Created	Resource successfully created (patient, order, prescription).
`400`	Bad Request	Missing required fields or invalid parameter values.
`401`	Unauthorized	Invalid or missing API key.
`403`	Forbidden	Your credentials don't have permission to access this resource.
`404`	Not Found	The patient, order, or prescription token does not exist in your account.
`422`	Unprocessable Entity	Request was valid but failed business logic — for example, an invalid NPI or incomplete patient record.
`429`	Too Many Requests	Rate limit exceeded. Check the `Retry-After` header.
`500`	Internal Server Error	An unexpected error on our end. Retry with exponential backoff and include the `request_id` when contacting support.

Errors API reference »

Environments and testing

You can access two separate environments — sandbox and production — using the same base request URL. The environment is determined by which API key you use: your sandbox key routes requests to our test environment, and your production key routes them to live systems.

The only functional difference between the two environments is that the sandbox environment uses simulated data and includes test error events, which you can use to validate your end-to-end integration before going live. No real orders, prescriptions, or patient notifications are triggered in sandbox.

Environment	Activated by	Fulfillment	Notifications
Production	Production API key	✓ Live	✓ Live
Sandbox	Sandbox API key	Simulated	Simulated

Ready to go live?

Production credentials are issued once your BAA is on file and your integration has been reviewed by the Empower technical team. Contact your clinic liaison to begin the production access process.