Avni
Avni is an open-source field-data platform for health, livelihoods, and social-sector programs, designed to support frontline workers and program managers with offline-capable mobile data collection, longitudinal beneficiary tracking, and a web console for program design and analytics. The Avni external API exposes the core domain entities — subjects, program enrolments, encounters, program encounters, and tasks — for read and write integrations, enabling third-party systems to ingest beneficiary data, sync longitudinal records, and create tasks that drive frontline workflows.

Power end-to-end data operations for your Avni API with Nexla. Our bi-directional Avni connector is purpose-built for Avni, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Avni or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Avni workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Avni's external API uses an OAuth 2.0 client-credentials (2-legged) flow against AWS Cognito (or Keycloak for on-premise deployments). The resulting JWT is sent to the Avni API on every request through the custom AUTH-TOKEN header (no Bearer prefix). Before creating a credential in Nexla, gather the following information from your Avni administrator or the Avni implementation team.
Identify Your Avni Deployment
Avni can be reached via the Avni-hosted SaaS environments or a self-hosted Avni server. The values you need depend on your deployment:
-
Base URL — The Avni server endpoint. For Avni-hosted environments this is typically
https://app.avniproject.org(production) orhttps://staging.avniproject.org(staging). Self-hosted deployments use the hostname configured for the Avni server. -
Access Token URL — The OAuth 2.0 token endpoint of the identity provider that issues Avni JWTs. For AWS Cognito-backed Avni deployments this is the Cognito user-pool token endpoint, in the form
https://<your-domain>.auth.<region>.amazoncognito.com/oauth2/token. For on-premise deployments backed by Keycloak, this is the Keycloak token endpoint in the formhttps://<keycloak-host>/auth/realms/<realm>/protocol/openid-connect/token. -
Client ID and Client Secret — The OAuth 2.0 app-client credentials configured in the identity provider for machine-to-machine access to Avni. These are issued by the Avni implementation team for self-hosted deployments, or by your Avni implementation partner for SaaS deployments.
Request API Access from Avni
The Avni public REST endpoints are intended for third-party integrations and are documented in the Avni API Guide. The internal endpoints used by the Avni mobile and web apps are not designed for integration and are not documented for external use — only the documented /api/* endpoints (subjects, enrolments, encounters, program encounters, tasks, datasets, segments, locations, notes) should be used.
-
Contact the Avni team or your implementation partner to confirm that the external API is enabled for your organization and to request an OAuth 2.0 app client for machine-to-machine integrations. Avni issues a dedicated client ID and client secret for each integration so access can be audited and rotated independently.
-
Provide the integration's purpose and the entities (subjects, enrolments, encounters, etc.) it needs to read or write so that appropriate permissions can be assigned. Avni's permission model is role-based — the user account associated with your OAuth app client must have access to the subject types, programs, and operations your integration requires.
-
Confirm with your Avni administrator which Avni server (production, staging, or self-hosted) the integration should target, and note the corresponding Base URL.
Retrieve OAuth 2.0 Credentials
Once Avni has provisioned an app client, retrieve the credential values:
-
Obtain the Client ID and Client Secret from your Avni administrator (for AWS Cognito-backed deployments) or from the Keycloak admin console (for on-premise deployments). Store both values in a secure secret manager — the Client Secret is treated as a password and should never be committed to source control.
-
Obtain the Access Token URL:
-
AWS Cognito-backed Avni: In the Cognito user pool, the token endpoint is shown under App integration > Domain as
https://<your-domain>.auth.<region>.amazoncognito.com/oauth2/token. Your Avni administrator can provide this value. -
Keycloak-backed Avni (on-premise): The token endpoint is exposed at
https://<keycloak-host>/auth/realms/<realm>/protocol/openid-connect/token. The realm name is typicallyavni. Your Avni administrator can provide the exact value.
-
-
Confirm the Base URL of the Avni server. The base URL must not include a trailing slash and must not include the
/apipath — Nexla appends the endpoint path automatically. For example, usehttps://app.avniproject.org, nothttps://app.avniproject.org/orhttps://app.avniproject.org/api.
For complete information about the Avni external API and its authentication model, see the Avni API Guide and the Avni external API Swagger specification.
The Client Secret grants programmatic access to your Avni organization's data. Store it in a secure secret manager, never commit it to source control, and rotate it immediately if you suspect it has been exposed. Coordinate rotation with your Avni administrator so the new secret can be provisioned in the identity provider.
Authenticate
Create a credential in Nexla
-
After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
Avni uses the OAuth 2.0 client-credentials (2-legged) flow. Nexla exchanges the Client ID and Client Secret for a JWT at the configured token URL, then sends the token to the Avni API on every request through the custom AUTH-TOKEN header.
-
Enter the OAuth 2.0 Client ID issued for your Avni integration in the Client ID field. This value is the public identifier of the app client configured in AWS Cognito or Keycloak for machine-to-machine access to Avni.
-
Enter the corresponding Client Secret in the Client Secret field. The client secret is treated as a password and is stored encrypted by Nexla.
-
Enter the OAuth 2.0 token endpoint in the Access Token URL field. This is the URL Nexla calls to exchange the client ID and client secret for a JWT.
-
AWS Cognito-backed Avni: Use the Cognito user-pool token endpoint, for example
https://<your-domain>.auth.<region>.amazoncognito.com/oauth2/token. -
Keycloak-backed Avni (on-premise): Use the Keycloak token endpoint, for example
https://<keycloak-host>/auth/realms/<realm>/protocol/openid-connect/token.
-
-
Enter the Avni server endpoint in the Base URL field. This is the root URL of the Avni server, without a trailing slash and without the
/apipath. For example, enterhttps://app.avniproject.orgfor the Avni production environment, or the hostname of your self-hosted Avni server.Nexla appends the endpoint path (for example,
/api/subjectsor/api/encounters) to the base URL automatically when calling Avni. Do not include any path segments in the Base URL field. -
Click the Save button at the bottom of the overlay to save the configured credential. Nexla automatically performs a test call against
GET /api/locations?size=1to verify that the OAuth flow succeeds and that the resulting JWT is accepted by the Avni server. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.
Use as a data source
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Avni connector tile, then select the credential that will be used to connect to the Avni instance, and click Next; or, create a new Avni credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Avni endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Click on an endpoint below to see more information about it and how to configure your data source for that endpoint.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Manual configuration
Avni data sources can also be manually configured to ingest data from any valid Avni external API endpoint, including endpoints not covered by the pre-built templates, custom query parameters, or chained API calls. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
All Avni external API URLs are of the form <base_url>/api/<resource> — for example, https://app.avniproject.org/api/subjects or https://app.avniproject.org/api/programEncounters. Only the documented Avni external API endpoints (under /api/*) should be used. Set the path to data according to the endpoint: $.pageOfResources[*] for the paginated list endpoints (/api/subjects, /api/enrolments, /api/encounters, /api/programEncounters), $.content[*] for /api/tasks, $.data[*] for the datasets, segments, and notes list endpoints, $.items[*] for the dataset-items endpoint, and $ for single-resource endpoints. The AUTH-TOKEN header carrying the Avni JWT is added automatically based on your credential, so it does not need to be added manually. The lastModifiedDateTime query parameter on the list endpoints expects an ISO 8601 datetime and pairs well with a datetime macro for incremental syncs.
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Avni data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the Avni destination, and select the Send to Destination option from the menu. Select the Avni connector from the list of available destination connectors, then select the credential that will be used to connect to the Avni organization, and click Next; or, create a new Avni credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Avni endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Manual configuration
Avni destinations can also be manually configured to send data to any valid Avni external API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, attribute exclusions, record batching, and response webhooks.
Avni's external write endpoints use POST with application/json content for idempotent create-or-update operations on subjects, enrolments, encounters, program encounters, and tasks. All URLs are of the form <base_url>/api/<resource>, and the UUID is included in the JSON body rather than the URL path. The AUTH-TOKEN header carrying the Avni JWT and the Content-Type: application/json header are added automatically. Because Avni expects one entity per request, the pre-built templates send each record in its own API call (batch.mode: false) — only enable record batching if you are calling a custom endpoint that accepts arrays of entities. Optionally enable the response webhook to capture the IDs and UUIDs Avni assigns on each call.
Avni's POST endpoints are idempotent and will create or modify production data. Use a non-production Avni environment (or a dedicated test organization) when sending test payloads, and verify the assigned UUIDs in the Avni web console before activating the destination.
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To begin sending the Nexset data to Avni, open the destination resource menu, and select Activate.
The Nexset data will not be sent to Avni until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.