These functions are not essential to calling the REDCap API, but instead are functions that help manage tokens securely.

  check_url            = TRUE,
  check_username       = FALSE,
  check_token_pattern  = TRUE,
  username             = NA_character_

  channel    = NULL




The file path to the CSV containing the credentials. Required.


The ID assigned to the project withing REDCap. This allows the user to store tokens to multiple REDCap projects in one file. Required


A logical value indicates if the url in the credential file should be checked to have approximately the correct form. Defaults to TRUE. retrieve_credential_local().


A logical value indicates if the username in the credential file should be checked against the username returned by R. Defaults to FALSE.


A logical value indicates if the token in the credential file is a 32-character hexadecimal string. Defaults to FALSE.


A character value used to retrieve a credential. See the Notes below. Optional.


The casual name associated with the REDCap instance on campus. This allows one credential system to accommodate multiple instances on campus. Required


A DSN on the local machine that points to the desired MSSQL database. Required.


An optional connection handle as returned by DBI::dbConnect(). See Details below. Optional.


A list of the following elements are returned from retrieve_credential_local() and retrieve_credential_mssql():

  • redcap_uri: The URI of the REDCap Server.

  • username: Username.

  • project_id: The ID assigned to the project within REDCap.

  • token: The token to pass to the REDCap server

  • comment: An optional string that is ignored by REDCapR but can be helpful for humans.


If the database elements are created with the script provided in package's 'Security Database' vignette, the default values will work.

The create_credential_local() function copies a static file to the location specified in the path_credential argument. Each record represents one accessible project per user. Follow these steps to adapt to your desired REDCap project(s):

  1. Modify the credential file for the REDCap API with a text editor like Notepad++, Visual Studio Code, or nano. Replace existing records with the information from your projects. Delete the remaining example records.

  2. Make sure that the file (with the sensitive password-like) tokens is stored securely!

  3. Contact your REDCap admin to request the URI & token and discuss institutional policies.

  4. Ask your institution's IT security team for their recommendation

  5. For more info, see and

  6. Double-check the file is secured and not accessible by other users.


Storing credentials on a server is preferred

Although we strongly encourage storing all the tokens on a central server (e.g., see the retrieve_credential_mssql() function and the "SecurityDatabase" vignette), there are times when this approach is not feasible and the token must be stored locally. Please contact us if your institution is using something other than SQL Server, and would like help adapting this approach to your infrastructure.

Stored credentials locally

When storing credentials locally, typically the credential file should be dedicated to just one user. Occasionally it makes sense to store tokens for multiple users --usually it's for the purpose of testing.

The username field is connected only in the local credential file. It does not need to be the same as the official username in REDCap.


Will Beasley


# ---- Local File Example ---------------------------- path <- system.file("misc/example.credentials", package = "REDCapR") (p1 <- REDCapR::retrieve_credential_local(path, 153L))
#> $redcap_uri #> [1] "" #> #> $username #> [1] "myusername" #> #> $project_id #> [1] 153 #> #> $token #> [1] "9A81268476645C4E5F03428B8AC3AA7B" #> #> $comment #> [1] "simple static (read-only) test project" #>
(p2 <- REDCapR::retrieve_credential_local(path, 212L))
#> $redcap_uri #> [1] "" #> #> $username #> [1] "myusername" #> #> $project_id #> [1] 212 #> #> $token #> [1] "0434F0E9CF53ED0587847AB6E51DE762" #> #> $comment #> [1] "longitudinal (read-only) ARM test project" #>
if (FALSE) { # Create a skeleton of the local credential file to modify path_demo <- base::tempfile(pattern = "temp", fileext = ".credentials") create_credential_local(path_demo) base::unlink(path_demo) # This is just a demo; don't delete the real file! }