Documentation Hub
GPID Boundary Contract
Phase 6 enforcement baseline — every API call crossing the Apex platform boundary must carry GPID context.
Status: Phase 6 enforcement · Last updated 2026-05-22
Required context headers
| Header | Meaning | Example |
|---|---|---|
X-Apex-Actor-GPID | Company, partner app, service, organization, or user making the call | CMS-12345678 |
X-Apex-Subject-GPID | Patient or athlete whose data is being accessed or changed | APX-1A2B3C4D |
X-Apex-Source | Product/source label for provenance | cms, prime, tefca, lake, sightline |
Compatibility aliases
X-Apex-Partner-GPID→X-Apex-Actor-GPID (legacy)X-Apex-GPID→X-Apex-Subject-GPID (legacy routes)Enforcement rules
- 1.API-key authenticated routes must resolve an actor GPID from the authenticated key or request header.
- 2.If an actor GPID is present in both the API key metadata and request header, the values must match.
- 3.Patient/athlete data routes must validate subject GPID access before returning or mutating data.
- 4.Responses echo normalized GPID context with X-Apex-Actor-GPID and, where applicable, X-Apex-Subject-GPID.
- 5.Audit and provenance records include both actor/source GPID and subject GPID when available.
Valid GPID formats
Patient / athlete GPID
APX-XXXXXXXX8-character hex identifier
CMS partner GPID
CMS-XXXXXXXX8-digit numeric
Plexus actor ID
PLX-{TYPE}-{N}e.g. PLX-ORG-00001, PLX-DOC-00001
API key binding
Actor GPID is resolved in this order:
api_key.partner_gpid— dedicated organizational actor GPID column- The creator user's GPID
Partner companies must receive an organizational GPID before API access is enabled.