Guidelines for Integration of Co-WIN with Third-Party ApplicationsDeveloped by Ecosystem Partners1. IntroductionThe Co-WIN platform for management of registration, appointment scheduling, managingvaccination and certification has been rolled out by the Ministry of Health and Family Welfare(MoHFW) and it is being used by all participating facilities in India’s National Covid-19 VaccinationProgramme. Private CVCs have been on boarded for the vaccination programme through theprocess laid down by the Ministry. Details of process for on boarding CVCs are as per the guidanceissued by the MoHFW for Co-WIN 2.0 as amended from time to time and the same is available Guidance note for Co-WIN 2.0 letter dated 23/4/21 is available df Since the launch, Co-WIN haspublished APIs for various functionalities. The intent is to enable various stakeholders such asStates/UT Governments, Private Service Providers, Software Developers and any Other agencieswho wishes to provide vaccination related services to develop and rollout software solutionsaround and compatible with Co-WIN (collectively described as “Application Service Providers”(ASPs) on behalf of State/ UT Governments or other approved Vaccination Service Providers toenhance the diversity and functionality complementing Co-WIN, offer better user experience andchoice to people, including for improving access to COVID-19 vaccination.While these ASPs can rollout software systems for all or some of the functionalities relating toregistration, scheduling of appointment and management of vaccination and facilities, thesesystems will have to use the master database maintained as part of Co-WIN platform and anyupdate (add/ delete / modify) will have to be made on this master database. They can retain copyof data relating to their customers subject to ‘Terms of Service’ provided as Annexure 2 of thisdocument to ensure that the citizen has a consistent view of his/ her own record relating toregistration, booking and vaccination irrespective of any third party applications he/she may use.Thus, Co-WIN will be a single source of truth with respect to all vaccinations providing unifiedvisibility of the vaccination programme through the Co-WIN dashboard and enabling thegovernment to drive policies based on aggregated data.Further it is required that the issuance of digitally signed vaccination certificates will also have tobe through Co-WIN. This will enable citizens to access their certificates anywhere anytime throughthe Co-WIN portal and multiple other third-party applications like Aarogya Setu, DigiLocker,Umang and others.This document has been prepared in consultation with experts and various stakeholders anddescribes the guidelines on information exchange between Co-WIN and the various ASPs’software and the terms and conditions thereof. The Empowered Group on COVID Vaccinationsshall continue to guide these efforts and these guidelines may be suitable amended from time totime as more features are introduced in CoWIN and the APIs are updated/amended.2. Scope of Co-WINThe Co-WIN Platform offers the following functionalities. Co-WIN is deployed on a cloud accountof the MoHFW and can be accessed across the country through the internet.

i.ii.iii.iv.v.Registration and Scheduling Module: This module enables the onetime enrolment of aperson into the system, as well as scheduling appointments for vaccination. This could beused for self-service access for registration and scheduling of appointment forvaccinations at a hospital or a CVC at a date and time of choice; or can be used for assistedservice for facilitated cohorts of beneficiaries at the vaccination facilities for on-spot orwalk-in registration. This module records the beneficiary registration and appointmentdetails on the Co-WIN platform.Vaccination Facility Module: This module is used to register and manage the facilities forproviding Covid Vaccination related services. This includes features such as minimum agesetting, declaration of vaccines and prices offered to beneficiaries and also the stockentries. This also includes a scheduling module for creation and publication of vaccinationsessions with parameters such as online/on-spot slots rate and slots for 1st& 2nd doses andseparate sessions for 45 & 45 age groups.Vaccination Module: This module is used by the vaccination facilities to manage theworkflow at the facilities, including verification of beneficiary ID and recording ofvaccination events for a beneficiary on the Co-WIN platform.Certificate Module: This module is used by the vaccination facilities to issue digitallyverifiable vaccination certificates. After the vaccination is recorded in the VaccinationModule, it forwards the vaccination record with fields required for in the certificate, asper the specified standard. The certificate module stores these as an ImmutableVaccination Event Record (IVER) and generates digitally signed vaccination certificates.The vaccination certifictaes can be downloaded by the vaccinator to be printed and sharedwith the beneficiary, or can be accessed and downloaded by the beneficiary from the CoWIN portal or applications or other applications that are already integrated such asAarogya Setu, DigiLocker or Umang; after authentication of the beneficiary through anOTP.Reporting of Adverse Events: Co-WIN is integrated with Government of India’s SafeVacsystem, for reporting of adverse events. If an adverse event is observed at the vaccinationcentre, vaccinators can report this in SafeVac, by clicking on the AEFI button in Co-WINwhich will direct the vaccinator to the relevant SafeVac form

3. Access to Co-WIN by third-party applicationsMoHFW provides API based access to Co-WIN for third-party software applications to provide avariety of value-added services directly to the beneficiary or enable empanelled COVIDVaccination Centres (CVC) to offer enhanced services to their users.These 3rd party applications can be either offered directly to citizens (B2C) or offered to privateCVCs (B2B) for following functionalities:A. discover vaccination centers and related informationB. schedule appointmentsC. manage vaccination workflow (in the case when such application is offered to CVCs)D. generate/download certificatesE. report any adverse events after vaccination as per AEFI guidelinesWhere the CVCs are managing vaccination workflow through their applications, they will need tohave a mechanism to verify the identity of the person vaccinated in accordance with the laws,policies and guidelines of the Government of India, in order to ensure that an appropriatecertificate is issued. Following ID documents specified by MoHFW can be used for this purpose:i. Aadhaarii. Driving Licenseiii. PAN cardiv. Passportv. Pension Passbookvi. NPR Smart Cardvii. Voter IDIn the cases where Aadhaar is used, CVCs have to ensure that the guidelines prescribed under theAadhaar Act are followed.4. Type of Access to Co-WINCo-WIN API Services can be offered to ASPs, who intend to or are providing COVID vaccinationrelated services and are registered for operations in India. Using the service, the approvedorganizations can avail the whitelisted data elements from Co-WIN in real-time. The ASPs canintegrate the APIs with their applications to extend the quality and reach of their initiative.The ASPs availing the APIs shall have to ensure adherence with the security practices notified byGovernment of India for secure API communications for managing keys and related ICTInfrastructure and services at their end. The ASPs shall ensure that the API is not abused, misusedand that they duly abide by the Co-WIN privacy policy, the API Terms of Service (ToS), provided inthe annexures and other provisions of the Information Technology Act, 2000.The types of access to Co-WIN are of two kinds;i.Open Access through Public API: This will allow any third-party application to accesscertain un-restricted information, that can be shared with its users (with or withoutvalue addition). This is limited only to read access in Co-WIN. As these third-partyapplications are given public APIs to access data from Co-WIN, the applicationproviders will be responsible for the information displayed through their system. Theextent of access will be limited and in case of any misuse impacting the performance

ii.of Co-WIN solution will result in blocking any such application and entities as per thepolicies of MoHFW and taking any other appropriate action in accordance with law.Access through Protected API: This allows approved third-party applications to accessspecified information from Co-WIN and update the Co-WIN database, whereapplicable, subject to such conditions and validations as may be prescribed orrequired.An indicative list of APIs that are already published, is provided in “Annexure 1” to thisdocument.5. Process for Access to Co-WINi.All entities (ASPs), wishing to integrate with Co-WIN using APIs, including for use of onlythe Public APIs, will have to first register as ASPs. For this purpose, these organizationscan send a request to [email protected]. (Refer Annexure 3).ii. ASPs that wish to integrate with the Co-WIN APIs, should nominate authorized systemadministrators along with their mobile numbers.iii. For the use of Protected APIs, as part of the approval process; such authorised systemadministrators will then be authenticated, before they are provided access credentials touse the Co-WIN APIs.iv. ASPs that wish to integrate with only the Co-WIN public APIs shall be provided a simpleonline registration to get API key. No separate approval shall be necessary for this.v. All ASPs accessing Co-WIN shall comply with security and data privacy safeguardspublished by Co-WIN together with any validation, restrictions or other policies or termsof service that Co-WIN In order to access or use the Co-WIN protected APIs, all service providers of the thirdparty applications must agree to the “Terms of Service” as amended from time to time(refer Annexure 2) prescribed by the MoHFW. In case these third-party applications areused by a Private CVC, the Private CVC must also agree to be bound by the “Terms ofService”, and submit a declaration to this effect.vii. In case, third party applications are used by CVCs for accessing Co-WIN for extendingservices relating to vaccination like registration/ scheduling/ management of vaccinationetc, the CVC shall be primarily responsible for compliance with all the guidelines issued bythe MoHFW including maintenance of historical records and supporting documents(where applicable) for audit purposes and shall be liable for any actions relating to failureto comply.viii. All third-party applications that wish to integrate with Co-WIN using Protected APIs shouldundertake a prescribed integration and testing process with the Co-WIN APIs. For thispurpose, the authenticated ASP system administrators will be provided with access to asandbox environment with staging-level API keys to test integration with the Co-WIN APIs,that the ASP wishes to use in their operations. Only after a successful testing cycle iscompleted and demonstrated to a competent authority, will the ASP systemadministrators be provided with production-level API keys for their Application. All APIkeys will be managed through Co-WIN’s API console. (Refer “Registration and SetupProcess for accessing COWIN APIs” in the Annexure 3.)

ix. Sandbox for testing facility will be available also for Public API integration. In this casetesting may not be mandatory except in cases where MoHFW deems necessary to protectthe performance of Co-WIN.x. Prior to issuance of production-level API keys, the ASP shall have to give evidence to theCoWIN team that the CVC’s system is secure from the perspective of data security andthat such system indeed complies with the norms of use and retention of personalinformation of beneficiaries as prescribed in the Terms of Service (Annexure 2) in para 8.6. DefinitionsIn these Guidelines, unless the context otherwise requires, the following terms shall have the meaningas described here: Application Service Provider (ASP) means any 3rd party service provider considered for onboarding on Co-WIN platform for COVID-19 vaccination programmeme.Terms of Service means the Legal agreements between 3rd party service providers and CoWIN in order to use the offered service, as is enclosed in Annexure -2 and as may beamended from time to time.Registration and scheduling module means the Module in Co-WIN platform that enablesregistration and scheduling of appointments for vaccination by the eligible beneficiaries.Vaccination Management module means the Module in Co-WIN platform that managesworkflow at the facility/vaccination centre.Certificate Module means the Module in Co-WIN platform that issues digitally verifiablecredentials for vaccination.AEFI means Adverse events following immunization are the possible minor and majoruntoward medical occurrence which follows immunization.CVCs means Covid Vaccination Centres are healthcare facilities empanelled under Co-WINand conducting vaccination.Public API means An API that allows third-party application to access certain un-restrictedinformation, that can be shared with its users (with or without value addition).Protected API means An API that allows only approved third-party applications to accessspecified information from Co-WINMinistry or MoHFW means Ministry of Health & Family Welfare.

Annexure 1LIST OF Co-WIN APISThis section summarizes the Co-WIN Public and Protected APIs that will be available forintegration by third-party applications. For further details on the API specifications, v21. Public APIa. Fetch Inventory of vaccination slots API: To allow third-party Apps to access in realtime the continuously updated list of available vaccination slots in Co-WIN . This willenable these apps to provide various options to the users like “look for available slotsfor vaccination / vaccines under multiple search criteria”.b. Fetch certificate API. To allow third-party Apps to access vaccination certificates ofthe users from Co-WIN, against a beneficiary reference id / registered mobile number.This will enable these apps provide options to the users to download their vaccinationcertificates. In this case Co-WIN will respond with the requested certificate(s) onlyafter OTP validation by Co-WIN using the registered mobile number.2. Protected APIsa. Beneficiary Registration APIs: To register a citizen for vaccination.b. Appointment APIs: To schedule an appointment, or to re-schedule an existingappointment or to cancel an appointment.c. Vaccination APIs: To record vaccination data for generation and download ofVaccination Certificate and reporting of AEFI for a beneficiaryThis API list may be subsequently updated as new APIs are developed and published

Annexure 2TERMS OF SERVICEEvery Application Service Provider (ASP), that wishes to utilize the CoWIN APIs, shallhave to submit an undertaking that the ASP agrees to the following Terms of Service:1. ConsentAny application (API Client) developed by ASPs that uses Co-WIN APIs to access and collectdata from Co-WIN, should ensure that it cannot access and collect personal data exceptas provided in the guidance issued by the MoHFW. Wherever personal data is collected,consent management will have to be undertaken as per the extant policy/ directions ofthe government issued in this regard as may be applicable. If any user does not consentfor sharing of their data, through the Co-WIN APIs, then it must be ensured that such usershave other viable and alternate mechanisms by which they can avail of Co-WIN relatedservices through these applications.2. AccessibilityAuthorized third-party organizations should only access (or attempt to access) whitelisteddata elements in the manner described, in the API documentation lic/marketplace/api/cowin/cowin-protected-v2). If Co-WINhas assigned any developer credentials to the organisation, such credentials must only beused in relation to the applicable APIs. It must not misrepresent or obfuscate the identityof MoHFW or the identity of their organisation. These authorized organizations shall notshare or disclose intentionally or unintentionally the API Keys or user details, or anyinformation retrieved through API except as approved under this guideline.3. TerminationMoHFW can terminate the use of the Co-WIN APIs any time with or without giving anynotice. The authorized organizations can also terminate the use of the APIs any time bygiving 30 days prior notice. However, in case of termination initiated by the authorizedorganizations the access key will be deactivated 30 days from the date of the noticesubmitted to MoHFW.MoHFW’s Co-WIN team can terminate the API Terms of Service and discontinue the rightto use the APIs and features thereof without cause and at any time without liability orother obligation. Upon such termination the organisation will immediately stop using theAPI and on the request of Co-WIN team, delete any data collected using the API exceptthe data that they are necessarily required to maintain for complying with existing laws.Any non-compliance or submitting any false information or violation of the Co-WIN APITerms of Service or misuse of the service, would result in appropriate legal actions.4. SupportThe authorized organization can seek support from MoHFW’s Co-WIN team for anysupport related technical queries related to the APIs. However, Co-WIN will not have anyobligations to make any changes in the Co-WIN software or APIs to address the technicalqueries.

5. API LimitationsAPI requests will have predefined limited usage policies that may limit the number ofusers that can be served, including other limitations, as deemed appropriate by MoHFW.Authorized organisations shall not circumvent or attempt to circumvent these limitations,and appropriate action in accordance with law shall be taken in the instance of suchcircumvention or attempt to circumvent. If, for any reason and exception is desired, awritten consent from MoHFW’s Co-WIN team is required.6. Purpose of Information collected via the APIsCo-WIN recognizes the importance of privacy of its end-users and also of maintainingconfidentiality of the information provided by its end-users (either directly or via thirdparty organizations) as a responsible data controller and data processer. Co-WIN willprovide these API services (both “public” and “protected” APIs), so that authorized thirdparty organizations can leverage and provide value added services to citizens, otherbusinesses and relevant customers. In providing these Services, Co-WIN will process thedata that the authorized third-party organizations will submit via the APIs and instruct CoWIN to process on their behalf. This data will be subject to the data protection guidelinesand applicable laws and policies, established or issued by the Government of India. Thetype of information sought by Co-WIN, via these APIs, will be as per the details outlinedin the “LIST OF Co-WIN APIs” section (refer the “Annexure 1”). Co-WIN will retain theinformation, shared by the authorized third-party organizations, on its servers for as longas is reasonably necessary for the purposes established by the Government of India inaccordance with the applicable law and policies issued by the Ministry, primarily forCOVID-19 vaccination. Where this information is no longer required, Co-WIN will ensureit is either securely deleted or stored in a way which means it will no longer be used byeither itself or any of its authorized partners (third-party organizations availing the CoWIN APIs).It is important that the third-party organizations have a clearly defined privacy policy oftheir own in accordance with applicable law for the time being in force in India, so that itarticulates the information collected from the end users (including personal data, such asaccount creation data, usage information, data retention requirements and cookieinformation). Co-WIN processes the API data in accordance with the third-partyorganization’s instructions and will be subject to Co-WIN’s rules for data validation andcompleteness for further processing.7. Re-DistributionAuthorized organizations shall not re-distribute any data that they are able to accessthrough the API and shall ensure that integration of all such data shall compulsorily belimited to the specific services provided by Co-WIN. Under no circumstances, shall anorganisation use the data collected as part of the Covid Vaccination Programme of theGovernment for any purposes other than the purposes specified herein, and as may bepermitted by the government.8. Use and Retention of information

1. Prior to seeking beneficiary’s consent, authorized organizations must inform eachof their beneficiaries in a clear, concise and accessible manner of the specificpurpose for which the data would be used, the period of time for which it shall beretained and the manner in which it shall be deleted.2. Once collected, the organization shall only use the data for the stated purpose inaccordance with these guidelines and delete it on or before the expiry of theretention period or as defined in the API Terms of Service.3. All API Clients shall be designed to only collect as much data as is strictly necessaryto achieve the stated purpose and to delete such data as soon as possible aftersuch purpose has been served.4. For the avoidance of all doubts, no API Client shall be designed to use the data fora purpose unrelated to the management of COVID-19 Vaccination nor shall theperiod for which the data is retained by the API Client exceed the data retentionprovisions set out by Co-WIN.5. The CVCs can retain the patient data as required for complying with the existingapplicable laws of data retention, as may be required. However, no ASP shall storethe Aadhaar number or the details or any copy of the identity cards/documentsbeing used by beneficiaries, either in physical or electronic form, under anycircumstances. Such information will be stored only at CoWIN and will beprovided to the ASP’s systems through the CoWIN APIs for facilitating variousfunctional needs such as recording of vaccination events and generation ofcertificates etc.6. Whenever personal information needs to be published for the purposes ofmanaging COVID-19 vaccinations, only the last 4 digits of the Aadharnumber/Identity document, may be printed.7. The authorized organizations shall ensure that they will generate and maintainauditable logs of the Co-WIN data collected and processed by the API Client,including details and records of the storage, access and sharing of any such data,and shall, on demand, make such logs available to the Co-WIN team.8. The authorized organization shall not use the APIs and the data available through APIsto engineer any products that lead to any automation of the data input processesspecially those where the data is to be entered by the citizen/beneficiary. Provisionof the API keys must not be construed as a concurrence of the Ministry, for any suchmisuse of the system, the APIs and the data accessed or made available through theAPIs.9. The CoWIN APIs or the data accessed through the APIs shall not be commerciallyexploited.9. Data Security1.2.The authorized organizations shall use all reasonable efforts to protect the userdata collected by the API Client from unauthorized access or use, and take allmeasures as may be required by any applicable law in relation to security ofpersonal data, and will promptly report to MoHFW’s Co-WIN team and the usersabout any unauthorized access or use of such information to the extent requiredby Law.To the extent possible, the API client should follow the anonymisation principles,where applicable. All API communication should be done in a secure manner,using a transport layer encryption. API Keys should not be exposed in plain text.The API Keys allotted to one organization, should not be shared with anyone elseexcept as may be allowed by the Ministry.In case of any compromise of the API Key, then the same should be immediatelyreported to the Co-WIN team.The data collected through the APIs, shall be stored within India only.10. Compliance with Law, Third Party Rights, and Other Terms of ServiceThe authorized organizations will comply with all applicable laws, regulation, policies andthird-party rights (including without limitation, any laws regarding the import or export ofdata or software, privacy, and local laws) established by Government of India. Theseorganizations will not use the APIs to encourage or promote illegal activity or violation ofthird-party rights including these “Terms of Service” with Co-WIN.11. Correctness of Data provided by third party systemsThe ASPs updating data in Co-WIN shall be solely responsible for the correctness of thesuch data and any liability arising out of any data so provided shall completely rest withsuch third party. Any liabilities civil or criminal, arising out of any incorrect data shall solelylie with the concerned ASP.12. Prohibitions and ConfidentialityWhen using the Co-WIN APIs, the authorized third-party organizations shall ensure (orallow those acting on behalf of organizations) that the following actions aren’t performed;1. Sublicense/subcontracting of the APIs–the authorized organizations will notcreate an API Client that functions substantially the same as the Co-WIN APIs andoffer it for use by third parties.2. Perform an action with the intent of introducing any viruses, worms, defects,Trojan horses, malware, or any items of a destructive nature; to Co-WIN services.3. Interfere with or disrupt the APIs or the servers or networks providing the APIs.4. Promote or facilitate unlawful online gambling or disruptive commercialmessages or advertisements.5. Reverse engineer or attempt to extract the source code from any API or anyrelated software.6. Use the APIs to process or store any data in contravention of the IT Act, or anyapplicable policies or guidelines issued by the Government of India.13. Use of Government logoGovernment logo may only be used after a separate explicit approval has beenobtained from the Ministry in this regard.14. Display of approvalAny ASP application will have to prominently display on the application’s citizen facinginterface that it is “Approved by CoWIN”, so as to distinguish it from applications thatare not approved.

Annexure 3REGISTRATION AND SETUP PROCESS FOR ACCESSING CO-WIN PROTECTED APISIn order to avail the Co-WIN protected API Services, please read the Terms of Service (referredabove, in “Annexure 2”) and ensure adherence to these terms. The following steps will haveto be undertaken by interested third-party organizations to avail access to the Co-WINprotected APIs.Step1: As part of the registration process, interested third-party organizations need to sendtheir details (about their organization), for use of both the Public and Protected APIsto: [email protected]. The following details should be mentioned through official emailid, by the authorised signatory of the Organization. Name of the OrganizationType of Organization: Government/PrivateRegistration Number of Organization (DIN) (Not applicable in case of Government)Details of the authorised Person Registering on behalf of the Organizationo Name :o Designation :o Mobile Number :o Phone Number :o Email Address :Postal address of the Organisation:o House No./Building No./Street Nameo City/Villageo Districto Stateo PincodePurpose(s) for which the Organization will be using Co-WIN API:Tentative number of Employees/Users/Customers that would be cateredExpected API Requests per dayE-Mail ID used for Co-WIN API accessOfficial Website of the OrganizationLink to the page in Organization’s website, where Terms of Service and Privacy Policy ismentionedStep 2: The authorized persons of the applicant organization will have to submit a declarationto the effect that – “I (Name of the authorized person), hereby declare, on behalfof the (Name of Organization) that the information mentioned aboveis factually correct and that the Organization undertakes to abide by all the terms andconditions of the Terms of Service, as specified in the Annexure 2 of the “Guidelines forIntegration of Co-WIN with Third-Party Applications Developed by Ecosystem Partners”.”Please note that, it is mandatory to send the details and the declaration mentioned aboveto [email protected], without these details the registration request shall not beprocessed. A declaration to the effect that the applicant organisation agrees to the Terms ofServices as specified in Annexure 2, shall also have to be submitted.Step 3: After a successful registration, a developer account will be created for the third-partyorganization. The developer account provides a staging-level API Key for accessing Co-WINAPIs, a sandbox for testing Co-WIN APIs, as well as API usage metrics. The third-party

organization must demonstrate a successful ‘test’ for the intended use, using the Co-WIN APIsto the designated Co-WIN officials.Step 4: After the successful ‘test’ of the Co-WIN APIs, a production-level API Key would beissued but it won't be linked to any of the APIs. To activate it for a particular API, navigate tothe desired API and “subscribe”. The API Key is now subscribed to the API and can be accessedfor production-operations.

ASPs that wish to integrate with only the Co-WIN public APIs shall be provided a simple online registration to get API key. No separate approval shall be necessary for this. v. All ASPs accessing Co-WIN shall comply with security and data privacy safeguards . In order to access or use the C