Developer Documentation

Public Preview

The Gencove Consumer API and the MCP server are both in public preview. Endpoints, tools, and response formats may change before the stable release. We welcome your feedback.

Introduction

The Gencove Consumer API provides programmatic access to your genomics data. You can use it to retrieve your profile information, list your kits, view PRS trait scores, ancestry composition, and download raw data files.

The API is organized around REST principles. All responses are returned in JSON format. All endpoints are read-only and use GET requests.

Base URL

https://consumer.gencove.com/api/v1/

Quickstart

Pick the flow that fits what you’re building. Both are five-minute “hello world” paths.

1

Create an API key

Go to API Keys in your account settings and create a new key. Copy it somewhere safe — you won't be able to see it again.

2

Make your first request

Use your API key to fetch your profile:

curl https://consumer.gencove.com/api/v1/profile/ \
  -H "Authorization: Api-Key YOUR_API_KEY"

import requests
response = requests.get(
    "https://consumer.gencove.com/api/v1/profile/",
    headers={"Authorization": "Api-Key YOUR_API_KEY"}
)
print(response.json())

const response = await fetch(
  "https://consumer.gencove.com/api/v1/profile/",
  {
    headers: { "Authorization": "Api-Key YOUR_API_KEY" }
  }
);
const data = await response.json();
console.log(data);

3

Explore the response

You'll get back a JSON object with your profile information:

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "email": "user@example.com",
  "name": "Jane Doe",
  "date_joined": "2025-01-15T10:30:00Z",
  "marketing_emails_opt_in": true
}

Next: browse all endpoints or try the live API explorer.

1

Create an API key

Go to API Keys in your account settings and create a new key — the MCP server authenticates with the same key as the REST API.

2

Register the Gencove MCP server

Add the server to your AI tool. Pick your client — full per-client instructions live in the MCP section.

claude mcp add --transport http gencove \
  https://consumer.gencove.com/mcp/ \
  --header "Authorization: Api-Key YOUR_API_KEY"

Add to ~/.codex/config.toml:

[mcp_servers.gencove]
url = "https://consumer.gencove.com/mcp/"
http_headers = { Authorization = "Api-Key YOUR_API_KEY" }

In Settings → MCP, add a new global server:

{
  "mcpServers": {
    "gencove": {
      "url": "https://consumer.gencove.com/mcp/",
      "headers": {
        "Authorization": "Api-Key YOUR_API_KEY"
      }
    }
  }
}

3

Ask your first question

Restart your AI tool, then try prompts like:

“What’s the status of my Gencove kits?”
“Show my ancestry breakdown.”
“Which of my PRS scores are in the high-risk category?”

The model will call Gencove tools under the hood and answer using your real data. See the full capabilities table for everything that’s exposed.

Authentication

The Gencove Consumer API uses API keys for authentication. Include your key in the Authorization header of every request.

Header format

Authorization: Api-Key YOUR_API_KEY

Getting an API key

Log in to your Gencove account.
Navigate to Account → API Keys.
Click Create API Key and give it a descriptive name.
Copy the key immediately — it is only shown once.

Key permissions

Each API key grants full read access to all API endpoints for the account that created it. There are no per-endpoint scopes — any valid key can access any endpoint listed in this documentation.

Unauthenticated request

If you omit the API key or provide an invalid one, the API returns a 401 response:

HTTP 401 Unauthorized

{
  "detail": "Authentication credentials were not provided."
}

Quick reference

Base URL

https://consumer.gencove.com/api/v1/

Header

Authorization: Api-Key YOUR_API_KEY

OAuth 2.0 for partner integrations

This page is for developers building a product that needs to read a Gencove customer's genomics data on the customer's behalf — for example, a partner health company whose users have Gencove accounts and want their kit status, PRS scores, ancestry, or raw download URLs surfaced inside your app.

You should not use OAuth if you just want to read your own data programmatically — personal API keys are simpler and grant full read access to your own account. OAuth exists specifically so that Gencove users can grant scoped access to a third party without handing over a full-power API key.

The protocol is the standard OAuth 2.0 Authorization Code flow with mandatory PKCE (RFC 7636). Both the REST API at /api/v1/ and the MCP server at /mcp/ accept OAuth bearer tokens.

The handshake at a glance

Three parties are involved: your app (the OAuth client), the Gencove user (the resource owner), and Gencove itself (the authorization server). PKCE ties the initial redirect to the final token exchange so an intercepted authorization code is useless to an attacker.

sequenceDiagram autonumber participant App as Consumer App participant User participant Gencove App->>App: Generate PKCE verifier + challenge App->>User: Redirect to /oauth/authorize (client_id, scope, challenge) User->>Gencove: Log in, review scopes, consent Gencove-->>App: Redirect back with authorization code App->>Gencove: POST /oauth/token (code + PKCE verifier + client_secret) Gencove-->>App: access_token + refresh_token App->>Gencove: GET /api/v1/... (Authorization: Bearer access_token) Gencove-->>App: User's genomics data (scoped)

Getting started

Five one-time setup steps before you can make your first OAuth call:

Create a Gencove consumer account. Your app is registered under a Gencove user — typically a team email you control. Sign up at https://consumer.gencove.com/user/register/.
Enable two-factor authentication. Gencove requires 2FA before you can register or rotate OAuth credentials. Visit Two-Factor Auth.
Register your application. Go to Developer Integrations → Register application. Provide a descriptive name (end-users see it on the consent screen), one or more redirect URIs (where Gencove sends the auth code back — https:// in production, loopback http://localhost:… accepted in dev), and the scopes you'll request.
Copy your credentials. On save you'll see client_id and client_secret once. Put them in your secret manager; the secret is hashed server-side and cannot be retrieved. If you lose it, use Rotate secret to generate a new one.
(Before launch) Request verification. New apps start as Unverified and users see a warning on the consent screen. Unverified is fine for private / sandbox development. Once you're going live to your customers, email support@gencove.com with your client_id and a brief description of your integration.

Using a third-party OAuth library

Most teams should reach for a vetted OAuth 2.0 client library rather than reimplementing the flow. Gencove's OAuth server is spec-compliant, so any library that supports Authorization Code + PKCE (S256) and refresh-token rotation will work. The library handles PKCE generation, code exchange, refresh rotation, and sets the Authorization: Bearer header for you — replace only YOUR_CLIENT_ID, YOUR_CLIENT_SECRET, and the redirect URI below.

Authlib with requests:

# pip install "authlib" "requests"
from authlib.integrations.requests_client import OAuth2Session

AUTHORIZE_URL = "https://consumer.gencove.com/oauth/authorize/"
TOKEN_URL     = "https://consumer.gencove.com/oauth/token/"

session = OAuth2Session(
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET",
    scope="profile:read kits:read prs:read",
    redirect_uri="https://your-app.example.com/callback",
    code_challenge_method="S256",
)

# 1. Redirect the user to `url`. Persist `state` and
#    `session.code_verifier` for the callback.
url, state = session.create_authorization_url(AUTHORIZE_URL)

# 2. In your /callback handler:
token = session.fetch_token(
    TOKEN_URL,
    authorization_response=full_callback_url,  # e.g. str(request.url)
    code_verifier=stored_code_verifier,
)

# 3. Call the API — the session adds the Bearer header for you.
profile = session.get(
    "https://consumer.gencove.com/api/v1/profile/"
).json()

# 4. Refresh when needed (single-use rotation: store the new refresh_token).
token = session.refresh_token(TOKEN_URL, refresh_token=token["refresh_token"])

openid-client (v5, discovery-based):

// npm install openid-client
import { Issuer, generators } from "openid-client";

const issuer = await Issuer.discover(
  "https://consumer.gencove.com/.well-known/oauth-authorization-server"
);
const client = new issuer.Client({
  client_id: "YOUR_CLIENT_ID",
  client_secret: "YOUR_CLIENT_SECRET",
  redirect_uris: ["https://your-app.example.com/callback"],
  response_types: ["code"],
});

// 1. Redirect the user to `url`. Persist `code_verifier` and `state`.
const code_verifier = generators.codeVerifier();
const code_challenge = generators.codeChallenge(code_verifier);
const state = generators.state();
const url = client.authorizationUrl({
  scope: "profile:read kits:read prs:read",
  code_challenge,
  code_challenge_method: "S256",
  state,
});

// 2. In your /callback handler:
const params = client.callbackParams(req);
const tokenSet = await client.callback(
  "https://your-app.example.com/callback",
  params,
  { code_verifier, state }
);

// 3. Call the API.
const res = await fetch(
  "https://consumer.gencove.com/api/v1/profile/",
  { headers: { Authorization: `Bearer ${tokenSet.access_token}` } }
);
const profile = await res.json();

// 4. Refresh when needed.
const refreshed = await client.refresh(tokenSet.refresh_token);

league/oauth2-client via GenericProvider (PKCE supported since v2.6):

<?php
// composer require league/oauth2-client
use League\OAuth2\Client\Provider\GenericProvider;

$provider = new GenericProvider([
    'clientId'                => 'YOUR_CLIENT_ID',
    'clientSecret'            => 'YOUR_CLIENT_SECRET',
    'redirectUri'             => 'https://your-app.example.com/callback',
    'urlAuthorize'            => 'https://consumer.gencove.com/oauth/authorize/',
    'urlAccessToken'          => 'https://consumer.gencove.com/oauth/token/',
    'urlResourceOwnerDetails' => 'https://consumer.gencove.com/api/v1/profile/',
    'scopes'                  => ['profile:read', 'kits:read', 'prs:read'],
    'scopeSeparator'          => ' ', // RFC 6749 requires space; library defaults to ','
    'pkceMethod'              => GenericProvider::PKCE_METHOD_S256,
]);

// 1. Redirect the user. Persist state + PKCE code in the session.
$url = $provider->getAuthorizationUrl();
$_SESSION['oauth2state']    = $provider->getState();
$_SESSION['oauth2pkceCode'] = $provider->getPkceCode();

// 2. In your /callback handler:
$provider->setPkceCode($_SESSION['oauth2pkceCode']);
$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
]);

// 3. Call the API — getParsedResponse signs the Bearer header.
$request = $provider->getAuthenticatedRequest(
    'GET',
    'https://consumer.gencove.com/api/v1/profile/',
    $token
);
$profile = $provider->getParsedResponse($request);

// 4. Refresh when needed.
$token = $provider->getAccessToken('refresh_token', [
    'refresh_token' => $token->getRefreshToken(),
]);

golang.org/x/oauth2 (PKCE helpers added in Go 1.23+ / x/oauth2 v0.22):

// go get golang.org/x/oauth2
import (
    "context"
    "net/http"

    "golang.org/x/oauth2"
)

var conf = &oauth2.Config{
    ClientID:     "YOUR_CLIENT_ID",
    ClientSecret: "YOUR_CLIENT_SECRET",
    RedirectURL:  "https://your-app.example.com/callback",
    Scopes:       []string{"profile:read", "kits:read", "prs:read"},
    Endpoint: oauth2.Endpoint{
        AuthURL:  "https://consumer.gencove.com/oauth/authorize/",
        TokenURL: "https://consumer.gencove.com/oauth/token/",
    },
}

// 1. Redirect the user. Persist `verifier` + `state`.
verifier := oauth2.GenerateVerifier()
url := conf.AuthCodeURL(
    "state-token",
    oauth2.AccessTypeOffline,
    oauth2.S256ChallengeOption(verifier),
)

// 2. In your /callback handler:
token, err := conf.Exchange(
    ctx,
    r.URL.Query().Get("code"),
    oauth2.VerifierOption(storedVerifier),
)

// 3. Call the API. conf.Client auto-refreshes on expiry.
client := conf.Client(ctx, token)
resp, _ := client.Get("https://consumer.gencove.com/api/v1/profile/")

If your stack has no mature OAuth client (or you want to see what the library is doing), the raw-HTTP walkthrough below is the authoritative reference and covers every protocol detail.

The integration flow

For every customer of your product who wants to connect their Gencove account, you repeat this six-step dance:

Generate a random code_verifier (43–128 URL-safe chars) and derive a SHA-256 code_challenge. Store the verifier server-side, keyed by a state value you also generate — you need the verifier again in step 4.
Redirect the user's browser to /oauth/authorize/ with the query parameters below.
Gencove asks the user to log in (if they aren't already) and shows a consent screen listing the scopes you requested. When they click Allow, Gencove redirects their browser back to your redirect_uri with ?code=…&state=…. Verify the state matches what you generated before trusting the code.
Your server POSTs to /oauth/token/ exchanging the code + PKCE verifier for tokens.
Gencove returns access_token (1 hour) and refresh_token (30 days). Store them against this user's record.
Call /api/v1/… or POST /mcp/ with Authorization: Bearer <access_token>. When the access token expires, use the refresh token to get a new pair.

Step 1 — generate PKCE

// Python (server-side)
import hashlib, secrets, base64

code_verifier = secrets.token_urlsafe(64)
challenge = base64.urlsafe_b64encode(
    hashlib.sha256(code_verifier.encode()).digest()
).rstrip(b"=").decode()

state = secrets.token_urlsafe(32)
# store {state: {code_verifier, user_id, …}} in your session cache

Step 2 — redirect to the authorize URL

Build a URL from these parameters and 302 the user's browser to it:

response_type	`code` (fixed)
client_id	From your Developer Integrations page.
redirect_uri	Must exactly match one of the URIs you registered (including trailing slash).
scope	Space-separated, from your allowed-scopes list. Users can grant a subset but never more.
state	Opaque value echoed back in the callback — protects against CSRF.
code_challenge	S256 challenge from step 1.
code_challenge_method	`S256` (only supported method).

https://consumer.gencove.com/oauth/authorize/
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https%3A%2F%2Fyour-app.com%2Fgencove%2Fcallback
  &scope=profile%3Aread%20kits%3Aread%20prs%3Aread
  &state=OPAQUE_ANTI_CSRF_TOKEN
  &code_challenge=XYZ…
&code_challenge_method=S256

Step 3 — handle the callback

Gencove redirects the user back to your redirect_uri with ?code=…&state=…. On your server, first look up the state in the session cache you populated in step 1 — if it's missing or doesn't match, abort (this protects against CSRF and replay). Then recover the code_verifier stored against that state for step 4.

# Django / Flask / etc. callback handler
def gencove_callback(request):
    incoming_state = request.GET["state"]
    cached = session_cache.pop(incoming_state)  # raises if unknown / expired
    code = request.GET["code"]
    code_verifier = cached["code_verifier"]
    # … proceed to step 4 with `code` + `code_verifier`

Step 4 — exchange code for tokens

curl -X POST https://consumer.gencove.com/oauth/token/ \
  -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET \
  -d grant_type=authorization_code \
  -d code=CODE_FROM_CALLBACK \
  -d redirect_uri=https://your-app.com/gencove/callback \
  -d code_verifier=CODE_VERIFIER_FROM_STEP_1

Step 5 — store the tokens

The token endpoint returns JSON:

{
    "access_token":  "…",
    "refresh_token": "…",
    "token_type":    "Bearer",
    "expires_in":    3600,
    "scope":         "profile:read kits:read prs:read"
}

Save both tokens against this user's record in your DB, along with the scope actually granted (users can downgrade at the consent screen) and the expiry derived from expires_in. Encrypt refresh tokens at rest — the single-use / rotation rule under Refreshing access makes them a theft target.

Step 6 — call the API

curl https://consumer.gencove.com/api/v1/profile/ \
-H "Authorization: Bearer ACCESS_TOKEN"

Refreshing access

Before expires_in runs out (or on the next 401), swap the refresh token for a new pair:

curl -X POST https://consumer.gencove.com/oauth/token/ \
  -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET \
  -d grant_type=refresh_token \
  -d refresh_token=OLD_REFRESH_TOKEN

Important: Refresh tokens are single-use and rotated. Every successful refresh returns a new refresh token — store it and discard the old. If you ever present the same refresh token twice, Gencove treats the second use as a token-theft signal and revokes the entire token family for that user. Protect refresh-token storage accordingly.

Scopes

Request the minimum scope set your features need. Users can grant a subset at the consent screen; requests for scopes your app did not register (in Developer Integrations) are rejected outright.

profile:read	Basic profile information (email, name, date joined).
kits:read	List the user's kits and read their processing status.
prs:read	Polygenic Risk Scores (interpreted health data).
ancestry:read	Ancestry composition results.
files:read	Raw genomic data download URLs (VCF).

Connecting MCP clients (Claude, Cursor, ChatGPT)

MCP clients that support OAuth use dynamic discovery. Point your MCP client at https://consumer.gencove.com/mcp/. The client will receive a 401 with WWW-Authenticate: Bearer … resource_metadata=…, follow the URL to /.well-known/oauth-protected-resource, then to /.well-known/oauth-authorization-server, and walk the user through the same consent flow described above. You still need to register an application in Developer Integrations — the MCP client doesn't do that for you.

Endpoint reference

Authorization	`https://consumer.gencove.com/oauth/authorize/`
Token	`https://consumer.gencove.com/oauth/token/`
Token revocation	`https://consumer.gencove.com/oauth/revoke_token/`
Token introspection	`https://consumer.gencove.com/oauth/introspect/`
Authorization server metadata	`https://consumer.gencove.com/.well-known/oauth-authorization-server`
Protected resource metadata	`https://consumer.gencove.com/.well-known/oauth-protected-resource`

Token lifecycle

Access token: valid for 1 hour.
Refresh token: valid for 30 days, rotated on every use.
Refresh reuse protection: presenting an already-rotated refresh token revokes the entire family. Protect your storage.
User revoke: the user can revoke your app's access anytime from their Connected Accounts page. Handle 401 gracefully — don't retry aggressively.
Developer delete: deleting an application from Developer Integrations immediately invalidates every token issued against it.

Authorization header

Every API or MCP call uses the standard bearer format:

Authorization: Bearer eyJhbGciOi…

Common errors

invalid_request	Missing parameter (e.g. `code_challenge` — PKCE is mandatory for every flow).
invalid_client	Unknown `client_id`, the application was deleted, or the `client_secret` is wrong (for confidential clients).
invalid_grant	Authorization code expired / already used, refresh token already rotated (family revoked!), or the PKCE `code_verifier` doesn't match the challenge.
invalid_scope	Requested scope isn't in your application's registered allowed-scopes list. Update the list in Developer Integrations or request fewer scopes.
access_denied	User clicked Deny on the consent screen.
unauthorized_client	The application isn't configured for the requested `grant_type`.
unsupported_grant_type	Only `authorization_code` and `refresh_token` are supported. Implicit, client-credentials, and password grants are disabled.

MCP — AI & Agents

Connect your AI tools to Gencove using the Model Context Protocol (MCP), an open standard that lets AI assistants access your genomics data — kits, PRS scores, ancestry composition, and raw data files — directly from tools you already use.

Instead of switching between your AI assistant and the Gencove dashboard, you can ask questions like “What are my kit statuses?” or “Show my ancestry breakdown” and get answers powered by your real data. The MCP server accepts the same API key or OAuth bearer token as the REST API and exposes the same underlying data.

How it fits together

The MCP server is a thin protocol adapter in front of your Gencove data. Your AI tool speaks MCP over HTTP; the server authenticates the request with an API key (or OAuth bearer token) and returns the same data the REST API would.

flowchart LR AI["AI tool\nClaude · Codex · Cursor · VS Code"] MCP["Gencove MCP server\n/mcp/"] DATA[("Your genomics data\nkits · PRS · ancestry · raw files")] AI -- "MCP over HTTP\nAPI key or OAuth bearer" --> MCP MCP -- "Tool calls\nget_profile, list_kits, …" --> DATA

MCP Endpoint

Server URL

https://consumer.gencove.com/mcp/

Capabilities at a glance

Every capability below is callable from any MCP-speaking client — see Getting Started for per-client setup.

Type	Name	Description
tool	get_profile	Returns the authenticated user's profile including email, name, date joined, and marketing email preference.
tool	list_kits	Lists all consumer kits belonging to the authenticated user, ordered by kit creation date (newest first). Returns sample ID, kit ID, creation date, and current status for each kit.
tool	get_kit_status	Returns detailed status for a specific kit identified by its sample ID. Includes sample ID, kit ID, creation date, and current processing status.
tool	get_prs_scores	Returns Polygenic Risk Score (PRS) trait scores for a kit. Each score includes trait key, percentile rank, risk threshold, and risk category (low / average / high).
tool	get_ancestry	Returns ancestry composition results for a kit. Each population includes a key, display name, proportion (0-1), and percentage.
tool	get_raw_data_url	Returns raw data files for a kit with pre-signed download URLs. Currently returns the imputed VCF file. If the sample is archived the download URL will be null but file metadata and archive status are still returned.

Key Concepts

These terms appear in tool responses. Understanding them helps AI assistants interpret results accurately.

PRS (Polygenic Risk Score)	A score summarizing the combined effect of many genetic variants associated with a trait. Higher percentile = higher genetic predisposition relative to the reference population.
Percentile	Where the user falls in the distribution (0–100). A percentile of 72 means the user scores higher than 72% of people in the reference population.
Risk category	`low`, `average`, or `high` — determined by comparing the percentile to the trait’s `risk_threshold`.
Ancestry composition	Proportions of genetic ancestry from reference populations (e.g. Northern European, West African). Values sum to approximately 1.0.
Archive status	Raw data files may be moved to cold storage. Possible states: `available`, `archived`, `archiving`, `restore requested`, `restored`.
sample_id vs kit_id	`sample_id` is the primary identifier used across all tools. `kit_id` is the physical kit identifier. Always use `sample_id` for API and MCP calls.

Available Tools

The MCP server exposes the following tools. Each tool maps to a corresponding REST API endpoint and returns the same data.

get_profile

Returns the authenticated user's profile including email, name, date joined, and marketing email preference.

No parameters required.

Example response

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "email": "jane@example.com",
  "name": "Jane Doe",
  "date_joined": "2025-03-15T10:30:00Z",
  "marketing_emails_opt_in": true
}

Try asking

“What’s my Gencove account email?”
“When did I create my account?”

list_kits

Lists all consumer kits belonging to the authenticated user, ordered by kit creation date (newest first). Returns sample ID, kit ID, creation date, and current status for each kit.

Parameter	Type	Required	Description
limit	integer	No	Number of results to return (default 20, max 250).
offset	integer	No	Starting position in the result set.

Example response

{
  "count": 1,
  "next_offset": null,
  "results": [
    {
      "sample_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "kit_id": "f9e8d7c6-b5a4-3210-fedc-ba9876543210",
      "kit_created": "2025-06-01T14:22:00Z",
      "last_status": {
        "id": "11111111-2222-3333-4444-555555555555",
        "status": "Results Ready",
        "created": "2025-07-10T09:15:00Z"
      }
    }
  ]
}

Try asking

“Show me all my DNA kits and their statuses”
“Do I have any kits still processing?”

Use sample_id from the response for all subsequent tool calls (get_kit_status, get_prs_scores, get_ancestry, get_raw_data_url).

get_kit_status

Returns detailed status for a specific kit identified by its sample ID. Includes sample ID, kit ID, creation date, and current processing status.

Parameter	Type	Required	Description
sample_id	string	Yes	UUID of the sample.

Example response

{
  "sample_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "kit_id": "f9e8d7c6-b5a4-3210-fedc-ba9876543210",
  "kit_created": "2025-06-01T14:22:00Z",
  "last_status": {
    "id": "11111111-2222-3333-4444-555555555555",
    "status": "Results Ready",
    "created": "2025-07-10T09:15:00Z"
  }
}

Try asking

“What’s the processing status of my latest kit?”
“Is my kit ready?”

get_prs_scores

Returns Polygenic Risk Score (PRS) trait scores for a kit. Each score includes trait key, percentile rank, risk threshold, and risk category (low / average / high).

Parameter	Type	Required	Description
sample_id	string	Yes	UUID of the sample.
limit	integer	No	Number of results to return (default 20, max 250).
offset	integer	No	Starting position in the result set.

Example response

{
  "count": 1,
  "next_offset": null,
  "results": [
    {
      "id": 42,
      "trait_key": "type_2_diabetes",
      "distribution_key": "gencove_v1",
      "distribution_version": "1.0",
      "value": 1.45,
      "percentile": 72.3,
      "risk_threshold": 80.0,
      "risk": "average"
    }
  ]
}

Try asking

“What is my genetic risk level for type 2 diabetes?”
“Show me all my PRS trait scores”
“Which traits am I at high risk for?”

A percentile of 72 means the user scores higher than 72% of the reference population. The risk field is one of low, average, or high based on risk_threshold.

PRS scores reflect genetic predisposition, not a diagnosis. Present results in context, not as medical advice.

get_ancestry

Returns ancestry composition results for a kit. Each population includes a key, display name, proportion (0-1), and percentage.

Parameter	Type	Required	Description
sample_id	string	Yes	UUID of the sample.

Example response

{
  "populations": [
    {
      "population_key": "NEUROPE",
      "population_name": "Northern European",
      "value": 0.65,
      "percentage": 65.0
    },
    {
      "population_key": "WAFR",
      "population_name": "West African",
      "value": 0.25,
      "percentage": 25.0
    },
    {
      "population_key": "EASIA",
      "population_name": "East Asian",
      "value": 0.1,
      "percentage": 10.0
    }
  ]
}

Try asking

“What’s my ancestry breakdown?”
“What percentage of my DNA is European?”

get_raw_data_url

Returns raw data files for a kit with pre-signed download URLs. Currently returns the imputed VCF file. If the sample is archived the download URL will be null but file metadata and archive status are still returned.

Parameter	Type	Required	Description
sample_id	string	Yes	UUID of the sample.
limit	integer	No	Number of results to return (default 20, max 250).
offset	integer	No	Starting position in the result set.

Example response

{
  "count": 1,
  "next_offset": null,
  "results": [
    {
      "id": "c3d4e5f6-7890-abcd-ef12-34567890abcd",
      "file_type": "impute-vcf",
      "size": 1073741824,
      "checksum_sha256": "e3b0c44298fc1c149afbf4c8996fb924...",
      "archive_status": "available",
      "download_url": "https://s3.amazonaws.com/..."
    }
  ]
}

Try asking

“Give me the download link for my imputed VCF file”
“Can I download my raw genetic data?”

If download_url is null, check archive_status — the file may be archived in cold storage. Inform the user and suggest they visit the Gencove dashboard to request a restore.

Getting Started

Before connecting an AI tool, make sure you have an API key. Then follow the instructions for your tool below.

Run this command in your terminal:

claude mcp add --transport http gencove \
  https://consumer.gencove.com/mcp/ \
  --header "Authorization: Api-Key YOUR_API_KEY"

Replace YOUR_API_KEY with your actual API key. The server will be available in all future Claude Code sessions.

Add this to ~/.codex/config.toml:

[mcp_servers.gencove]
url = "https://consumer.gencove.com/mcp/"
http_headers = { Authorization = "Api-Key YOUR_API_KEY" }

Replace YOUR_API_KEY with your actual API key.

Open Settings → MCP and add a new global MCP server with this configuration:

{
  "mcpServers": {
    "gencove": {
      "url": "https://consumer.gencove.com/mcp/",
      "headers": {
        "Authorization": "Api-Key YOUR_API_KEY"
      }
    }
  }
}

Create a .vscode/mcp.json file in your project root:

{
  "servers": {
    "gencove": {
      "type": "http",
      "url": "https://consumer.gencove.com/mcp/",
      "headers": {
        "Authorization": "Api-Key YOUR_API_KEY"
      }
    }
  }
}

GitHub Copilot will detect the MCP server automatically. You can also add it to your user settings for global availability.

Go to Settings → Connectors → Add Connector and enter the server URL:

https://consumer.gencove.com/mcp/

Alternatively, edit your claude_desktop_config.json:

{
  "mcpServers": {
    "gencove": {
      "url": "https://consumer.gencove.com/mcp/",
      "headers": {
        "Authorization": "Api-Key YOUR_API_KEY"
      }
    }
  }
}

Verify Your Connection

Once configured, ask your AI assistant something like “What are my Gencove kits?” — it should call the list_kits tool and return your kit data.

You can also test the MCP endpoint directly with curl:

curl -X POST https://consumer.gencove.com/mcp/ \
  -H "Authorization: Api-Key YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'

Tips for AI Tools

Start with list_kits — always call this first to get sample_id values before calling any other tool.
PRS scores are relative — explain percentiles in context (“higher than X% of the reference population”), not as absolute risk or medical diagnosis.
Handle archived files gracefully — if download_url is null, check archive_status and explain the situation to the user. Suggest visiting the Gencove dashboard to request a restore.

API Reference

All endpoints are read-only (GET) and require API key authentication. Click an endpoint to view its interactive documentation with response examples and the ability to test it live.

GET /api/v1/profile/ Returns the authenticated user's profile information. GET /api/v1/kits/ Returns a paginated list of all kits belonging to the authenticated user, ordered by kit creation date (newest first). GET /api/v1/kits/00000000-0000-0000-0000-000000000000/ Returns details for a single kit identified by its `sample_id`. GET /api/v1/kit-prs-report/00000000-0000-0000-0000-000000000000/ Returns paginated Polygenic Risk Score (PRS) trait scores for a kit. Each score represents the user's genetic predisposition for a specific trait. GET /api/v1/kit-ancestry/00000000-0000-0000-0000-000000000000/ Returns the ancestry composition for a kit. The response contains a list of population groups with their proportional values. GET /api/v1/kit-raw-data/00000000-0000-0000-0000-000000000000/ Returns paginated raw data files for a kit (currently the imputed VCF).

API Explorer

Enter your API key and select an endpoint to make a live request.

Try It

API Key

Endpoint

Status & Error Codes

The API uses standard HTTP status codes to indicate the outcome of a request.

Code	Status	Description
`200`	OK	The request succeeded.
`401`	Unauthorized	Missing or invalid API key.
`403`	Forbidden	The API key is valid but does not have permission for this resource.
`404`	Not Found	The requested resource does not exist or is not accessible by your account.
`429`	Too Many Requests	Rate limit exceeded. See Rate Limiting.
`500`	Internal Server Error	An unexpected error occurred on the server.

Error response format

Error responses include a detail field describing the error:

{
  "detail": "Authentication credentials were not provided."
}

Pagination

Endpoints that return lists of items use limit-offset pagination. You control pagination with two query parameters:

Parameter	Type	Default	Description
`limit`	integer	20	Number of results to return per page. Maximum: 250.
`offset`	integer	0	Number of results to skip from the beginning.

Response format

Paginated responses are wrapped in an envelope with metadata:

{
  "meta": {
    "count": 42,
    "next": "https://consumer.gencove.com/api/v1/kits/?limit=20&offset=20",
    "previous": null
  },
  "results": [
    { "..." }
  ]
}

Field	Type	Description
`meta.count`	integer	Total number of results across all pages.
`meta.next`	string \| null	URL for the next page of results, or `null` if this is the last page.
`meta.previous`	string \| null	URL for the previous page, or `null` if this is the first page.
`results`	array	The items for the current page.

Rate Limiting

To ensure fair usage, the API enforces rate limits on all requests.

Tier	Rate
Authenticated requests	100 requests per second
Unauthenticated requests	50 requests per second

Rate limit exceeded

When you exceed the rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait before retrying:

HTTP 429 Too Many Requests
Retry-After: 1

{
  "detail": "Request was throttled. Expected available in 1 second."
}

Best practices

Implement exponential backoff when you receive a 429 response.
Always respect the Retry-After header value before retrying.
Cache responses when possible to reduce the number of API calls.

Email Notifications

Gencove sends email notifications for important updates about your kits and account. These are not triggered via the API — they are sent automatically based on events in the system. This section documents what you can expect to receive.

Kit lifecycle

These emails track your kit from order to results:

Email	Trigger	Description
Order Confirmed	Kit ordered	Sent when your kit order is placed successfully.
Kit Registered	Kit registered	Sent when your saliva kit barcode is scanned and registered.
Kit Shipped	Kit shipped	Sent when your kit ships. Includes tracking number and carrier link.
Received at Lab	Kit received at lab	Sent when the lab receives your sample and begins processing.
Results Ready	Processing succeeded	Sent when your genomic results are ready to view.
Address Issue	Order failed	Sent if your shipping address could not be validated. Asks you to update it.