Skip to main content
xcircl
All teardowns
Teardown·Jul 12, 2026·4 min read

How we verify provider identity

Every identity field points back to an official registry with a verification date. Here is the pipeline, and exactly where the honesty lines are.

If you're building anything that recommends a care provider — a clinic finder, an AI agent, a diligence tool — the first question is deceptively hard: is this provider real, current, and who the record says it is? Names collide. Practices move, rebrand, and close. Scraped web data has no source and no timestamp. Here's how we answer that question, and exactly where the honesty lines are.

The anchor: CMS NPPES

We anchor provider identity to the National Plan and Provider Enumeration System (NPPES), the federal registry of National Provider Identifiers. At the current snapshot, 769 of the providers we track carry an NPI matched in NPPES. Matching is name + address + NPI cross-reference with a confidence threshold; below threshold, we don't force a match — the field is left as not-yet-verified rather than guessed.

Two numbers, stated plainly

This is the part most vendors blur, so we put it up front. We track 6,028 GLP-1 providers — the discovery surface. The API's verified / published tier is smaller: 869 at this snapshot. Tracked is what we're watching; verified/published is what the API actually delivers as source-linked, cross-checked records. If you hit the free endpoint and count fewer than 6,028, that's not a discrepancy — it's the boundary between "seen" and "verified," and we'd rather you know it than discover it.

Provenance on every field

A verified field carries its source URL and a check date. Identity is cross-checked against NPPES; compliance signals against FDA warning-letter lists and LegitScript. "Verified" here means we cross-checked it against an official source and stamped when — not that any government agency certified us or the provider.

The free-tier boundary

The free tier returns identity fields (name, city, state, business mode, coordinates, NPI) with no key. Compliance signals, prices, and timestamps require a key (the notice field on /api/v1/providers/ spells this out). That's a packaging line, not a data-quality line.

Verify it yourself

curl "https://xcircl.com/api/v1/providers/?vertical=glp1&state=TX&limit=3"
curl "https://xcircl.com/api/v1/coverage/"   # every number in this post, live

Data as of the 2026-07-12 12:48 UTC snapshot, pulled live from /api/v1/coverage/. Every figure above is substituted from that endpoint at request time — nothing is hardcoded.