FDA Electronic Submission Gateway (ESG) NextGen
API Guide

---

FDA
Electronic Submission Gateway (ESG) NextGen
API Guide

Application Program Interface

Version 1.0
March 2025

1. Introduction

This document provides guidelines for submitting files and folders through Application Programming Interfaces (APIs) with the FDA’s ESG NextGen system. The guide covers the prerequisites for API submission and the API order to perform different tasks.

1.1 Purpose of the Guide

ESG NextGen provides new web services APIs to submit files, check submission status and retrieve acknowledgements Companies can integrate these APIs with their systems to achieve submission and other business workflow automation.

1.2 Target Audience

This guide is intended for industry participants who want to utilize APIs to submit regulatory information to the FDA. The audience includes current Applicability Statement 2 (AS2) submitters so they can understand this additional system to system submission method, legacy ESG WebTrader users and new ESG NextGen users who desire to further automate the submission process, and user technical support resources. It is applicable to users submitting on behalf of their own company as well as agents submitting on behalf of other companies. For further API technical information, refer to the ESG NextGen API Specification v1.0.docx which can be found here under User Guides.

2. Getting Started with API

To utilize API submissions with ESG NextGen, users will need to obtain a Client ID and Secret Key. To obtain this information, users will need to register for an ESG NextGen Unified Submission Portal (USP) account. Only USP users with the role of Power User will have access to the API Management module of USP.

2.1 Registering with Corporate Emails

For security and privacy reasons, ESG NextGen accepts communications via business email accounts. Public email services (e.g., Gmail, Yahoo) are not acceptable to maintain compliance and ensure data integrity. When registering for ESG NextGen, the email provided must be an individual’s business email, a group or shared email cannot be used.

2.2 USP User Roles and Permissions

ESG NextGen defines two primary user roles, each with distinct permission:

• Power User:
  Power Users have full access to all system functionalities, including user registration, company and user management, and submission processes. Power Users are allowed to:
  • Manage company information such as Non-Repudiation Letters and Authorization Letters.
  • Generate API credentials.
  • Manage users (roles and permissions) within their organization.
  • Upload submissions.
  • View all submissions within their organization.
• Submitter:
  Submitters are authorized to submit regulatory files for their company but cannot manage users or modify company settings. Submitters focus on preparing and sending both test and production submissions through the USP. Submitters are allowed to:
  • Upload submissions.
  • View their own submissions.
  • View/edit their user information.

2.3 Agent, CRO, or Consultant Registration

Agents, Contract Research Organizations (CROs), or Consultants that submit on behalf of multiple clients will register under their own company. The Authorization Letters uploaded by the Agent, CRO, or Consultant, is what will link the Agent, CRO, or Consultant company to the companies they are submitting on behalf of. Please follow the steps outlined below in Registering for a USP Account when creating your account.

2.4 Registering for a USP Account

To utilize the functionality within ESG NextGen USP, users will need to register for a USP account. If you have already created an ESG NextGen USP account, please use the credentials created during account registration to log in to your account.

Step 1: Create Log In Credentials and set-up Multi-Factor Authentication

1. Open your browser (Chrome, Firefox, or Edge) and navigate to the web page Electronic Submissions Gateway | FDA
2. Click on ‘Industry USP Log In’. Note: to be available 3/31/25
   
3. Review the Security Warning and click ‘Accept’.
4. On the ESG NextGen log in page, click on ‘Register now’.
   

• Enter all required information on the ‘Create Your Account’ page and then click ‘Create Account’.
  • An email will be sent to the email address entered during this registration process stating your account has been created.
• Enter the credentials created while registering your account in the ESG NextGen log in screen and click ‘Sign On’.
• Go to the email inbox for the email entered during registration to obtain the One Time Passcode (OTP).
• Enter the OTP in the box provided and click ‘Sign On’.
  
• You are now Authenticated and will be directed to ESG NextGen USP.

Step 2: Complete ESG NextGen Registration

The ESG NextGen USP registration wizard will walk you through the steps to complete your ESG NextGen USP registration.

Legacy ESG Users

For users with an active legacy ESG account, your user information has been migrated to ESG NextGen, and you remain covered under your previously submitted Non-Repudiation Letter and Authorization Letter (if needed). Once logged in to ESG NextGen USP for the first time, please review the information presented and click ‘Continue’ to activate your ESG NextGen USP account.

New Users

For users new to submitting to the FDA via legacy ESG or ESG NextGen, you will need to review the guidelines for a Non-Repudiation Letter found here: Appendix G: Letters of Non-Repudiation Agreement | FDA. For Agents, CROs, and Consultants submitting on behalf of another company, please also reference the guidelines for Authorization Letters: Appendix K: Sample Authorization Letter | FDA

Within the ESG NextGen USP registration wizard, you will have the option to upload a signed Non-Repudiation Letter, or you can create a Non-Repudiation Letter digitally within the wizard and sign electronically.

For Agents, CRO’s, and Consultants registering their company with ESG NextGen, be sure to check the box for ‘This company is an agency/consulting firm submitting on behalf of other companies.’ This will indicate to the system that users for your company will be uploading on behalf of other companies. During the registration process, at least one Authorization Letter will need to be uploaded.

There are multiple ways the ESG NextGen USP registration wizard will walk you through the registration process. Please reference the following training videos for more information on the ESG NextGen USP registration process:

New Company/New User Registration

• New Company Agent Upload User Registration: Covers entering your company’s information and uploading a Non-Repudiation Letter.
• New Company Non-Agent Duplicate Upload User Registration: Covers entering your company’s information and a duplicate company is detected, and a Non-Repudiation Letter is uploaded.
• New Company Non-Agent Duplicates Digital User Registration: Covers entering your company’s information and duplicate companies are detected and a digital Non-Repudiation Letter is created.

Existing Company/New User Registration

• Existing Shell Digital User Registration: Company selected is just the company name created by an Agent to submit on behalf of the selected company. Registering user is defaulted to a Power User and a digital Non-Repudiation Letter is created.
• Existing Non-Shell Upload User Registration: Registering user found their company and uploaded a Non-Repudiation Letter.
• Existing Non-Shell Letter Found User Registration: Registering user found their company and is covered under a company-wide Non-Repudiation Letter.

For a new user registering under an existing company within ESG NextGen, once your ESG NextGen USP registration is complete, a Power User from your company will review and accept or decline your registration. An email notification will be sent to you notifying you of the status of your ESG NextGen USP account.

For a new company entered into ESG NextGen with the new user registration, an ESG NextGen Admin will review your registration, and an email notification will be sent to you notifying you of the status of your ESG NextGen USP account. The first user registered in a company will default to a Power User role.

2.5 Obtain API Client ID and Secret Key

The Client ID and Secret Key generated in the API Management module of ESG NextGen USP is what will allow a user to be authenticated within ESG NextGen to upload submissions via API. Only USP users with the role of Power User will have access to API Management. Please store the Secret Key in a secure location as ESG NextGen USP will not reveal the Secret Key again after it is generated. If you lose your Secret Key or need to replace it for any reason, you can generate a new Client ID and Secret key within the API Management module of ESG NextGen USP.

2.5.1 First Time Generation of API Client ID and Secret Key

• Log into ESG NextGen USP.
• In the left navigation menu, select ‘API Management’.
  
• On the API Management screen, click ‘+ Generate’ to generate and reveal your Client ID and Secret Key.
  
• Once API Credentials are displayed, please be sure to store the Secret Key in a secure location within your system as the Secret Key will not be displayed again.
  

2.5.2 Regenerating Secret Key

1. Log into ESG NextGen USP.
2. In the left navigation menu, select ‘API Management’.
   
3. On the API Management screen, click ‘Generate New’.
   
4. A warning message will appear stating the action of generating a new secret key will replace your current API access credentials, rendering them invalid. To replace your API credentials, click ‘Generate’.
   
5. Once API Credentials are displayed, please be sure to store the Secret Key in a secure location within your system as the Secret Key will not be displayed again.
   

3. FDA Center and Submission Types

For a list of FDA Center and Submission Types to referenced when populating the Center and Submission type in the ‘Generate Submission ID and Temp Credentials’ API, please see Center Submission Types | FDA

4. Support

Questions? Please contact support at ESGNGSupport@fda.hhs.gov. We are available to provide assistance 8 am to 8 pm ET Monday ­ Friday. If you submit a help request outside those business hours, we will respond the next business day.

FDA Electronic Submission Gateway (ESG) NextGen
Appendix for Technical Resources

---

5. Appendix for Technical Resources

5.1 API File Submission Steps

Outlined below is the order the APIs need to be called for different tasks. For detailed information pertaining to the APIs, please reference the ESG NextGen API Specification.

Each workflow outlined below requires an active oAuth access token. Generating a new access token is outlined in Step 1 of each workflow. You can skip this step if you already have a valid access token.
Retrieving an oAuth access token will need to be done when:

• This is the first API call being made for the session
• The previous access token has expired

Note: Access tokens expire after one hour

5.1.1 Retrieving User Details

Most APIs require identifying the user or company via the unique identifier tied to those elements. This API workflow allows industry users to retrieve those identifiers.

No	API Endpoint	API Description (Industry Partners)	Request Method	Request Input (Sample values)	Request Output (Sample values)
Step 1	https://external-api-esgng-uat.preprod.fda.gov/as/token.oauth2?grant_type=client_credentials&scope=openid%20profile	API to generate oAuth access token	POST	Request Body with x-www-form-urlencoded Keys — Values: client_secret—Secret generated from API Management client_id — ID generated from API ManagementNOTE: The values are constant which are from ICAM client credentials.	{ “access_token”: “aZl2hNYnbuOikJZEhmyA”, “token_type”: “Bearer”, “expires_in”: 3600 }
Step 2	https://external-api-esgng-uat.preprod.fda.gov/api/esgng/v1/companies	Retrieve the user ID and list of companies and the associated company IDs for which a given user can create submissions	GET	Query Parameter: user_email = testagent5@test.com Note: Please pass accesstoken in a header Key – Values accesstoken – {accesstoken}	{ “user_id”: 55, “user_email”: “testagent5@test.com”, “company_id”: 30, “company_name”: “Actual Agency”, “company_status”: “Approved”, “authorizing_companies”: [ { “authorizing_company_id”: 2, “authorizing_company_name”: “Oldio Corp” }, { “authorizing_company_id”: 5, “authorizing_company_name”: “Fantastic Calm” } ], “esgngcode”: “ESGNG390”, “esgngdescription”: “Company Information retrieved successfully from ESGNG.” }

5.1.2 File Submission through API

This API workflow allows industry users to create a submission, assign the submission metadata, and submit a file to be delivered to the appropriate FDA center. In Step 2, please notice there is an endpoint for Test Submissions and an endpoint for Production Submissions.

No	API Endpoint	API Description (Industry Partners)	Request Method	Request Input (Sample values)	Request Output (Sample values)
Step 1	https://external-api-esgng-uat.preprod.fda.gov/as/token.oauth2?grant_type=client_credentials&scope=openid%20profile	API to generate oAuth access token	POST	Request Body with x-www-form-urlencoded Keys — Values: client_secret—Secret generated from API Management client_id — ID generated from API Management NOTE: The values are constant which are from ICAM client credentials.	{ “access_token”: “aZl2hNYnbuOikJZEhmyA”, “token_type”: “Bearer”, “expires_in”: 3600 }
Step 2	TEST Submission Endpoint: https://external-api-esgng-uat.preprod.fda.gov/api/esgng/v1/credentials/api/test PROD Submission Endpoint: https://external-api-esgng-uat.preprod.fda.gov/api/esgng/v1/credentials/api	Generate submission id and temp credentials	GET	Request Body: { “user_id”: “2”, “fda_center”: “CBER”, “company_id”: “2”, “authorizing_company_id”: “2”, “submission_type”: “510K”, “file_count”: 23, “description”: “this is submission version description”, “submission_protocol”: “API” }Note: Please pass accesstoken in a header Key – Values accesstoken – {accesstoken}	{ “core_id”: “CmpAssociatesInc_2023110733023”, “temp_user”: “1-CmpAssociatesInc_2023110733023”, “temp_password”: “17948854-108c-4831-9000-0859c52fefc0”, “esgngcode”: “ESGNG210”, “esgngdescription”: “Core Id and Temporary Credentials generated and stored successfully.” }
Step 3	https://upload-api-esgng-uat.preprod.fda.gov/rest/forms/v1/fileupload/payload	Insert payload.	GET	Do not supply a request body with this method.	{ “data” : { “payloadId” : “string”, “uploadFileLink” : “string”, “submitFormLink” : “string” } }
Step 4	https://upload-api-esgng-uat.preprod.fda.gov/rest/forms/v1/fileupload/payload/:payloadId/file	Upload one attachment at a time.	POST	Request Parameter payloadId	{ “data” : { “status” : “string”, “message” : “string” } }
Step 5	https://upload-api-esgng.fda.gov/rest/forms/v1/fileupload/payload/:Payloadid/submit	Submit the payload.	POST	Request body: { “username” : “string”, “password” : “string”, “sha256_checksum” : “string” }	{ “data” : { “message” : “string”, “files” : [ { “id” : “string”, “name” : “string”, “size” : “string”, “link” : “string” } ] } }

5.1.3 Get Submission Status

This API workflow allows industry users to retrieve the status of the submission based on its core ID.

No	API Endpoint	API Description (Industry Partners)	Request Method	Request Input (Sample values)	Request Output (Sample values)
Step 1	https://external-api-esgng-uat.preprod.fda.gov/as/token.oauth2?grant_type=client_credentials&scope=openid%20profile	API to generate oAuth access token	POST	Request Body with x-www-form-urlencoded Keys — Values: client_secret—Secret generated from API Management client_id — ID generated from API Management NOTE: The values are constant which are from ICAM client credentials.	{ “access_token”: “aZl2hNYnbuOikJZEhmyA”, “token_type”: “Bearer”, “expires_in”: 3600 }
Step 2	https://external-apiesgng.fda.gov/api/esgng/v1/submissions/{core_id}	Retrieve submission status for a given core id	GET	URI Paramter: {core_id} -> CmpAssociatesInc_2023110733023 Note: Please pass accesstoken in a header Key – Values accesstoken – {accesstoken}	{ “core_id”: “CmpAssociatesInc_2023110733023”, “status”: “Upload Initiated”, “submission_protocol”: “API”, “esgngcode”: “ESGNG270”, “esgngdescription”: “Submission status retrieved successfully.” }

5.1.4 Get ALL Acknowledgements

This API allows industry users to retrieve the details of the acknowledgement data associated with a submission identified by core ID. ACK1 and ACK2 details are returned in the list while ACK3 returns a link to download the appropriate file.

No	API Endpoint	API Description (Industry Partners)	Request Method	Request Input (Sample values)	Request Output (Sample values)
Step 1	https://external-api-esgng-uat.preprod.fda.gov/as/token.oauth2?grant_type=client_credentials&scope=openid%20profile	API to generate oAuth access token	POST	Request Body with x-www-form-urlencoded Keys — Values: client_secret—Secret generated from API Management client_id — ID generated from API Management NOTE: The values are constant which are from ICAM client credentials.	{ “access_token”: “aZl2hNYnbuOikJZEhmyA”, “token_type”: “Bearer”, “expires_in”: 3600 }
Step 2	https://external-api-esgng-uat.preprod.fda.gov/api/esgng/v1/acknowledgements/{core_id}	Retrieve all ACKs information and also to have a link for ACK3 file to download .	GET	URI Paramter: {core_id} -> ci241211033255.70c6e6daada64 a188dd318c2b82f599e Note: Please pass accesstoken in a header Key – Values accesstoken – {accesstoken}	{ “core_id”: “ci241211033255.70c6e6daada64a188dd318c2b82f599e”, “acknowledgements”: [ { “acknowledgement”: “ACK1c”, “status”: “Upload Received”, “message”: “\n\n From: donotreply@fda.hhs.gov\n To: esgngtest1@gmail.com\n Subject: ESG Submission – ACK1 – Upload Received: ci241211033255.70c6e6daada64a188dd318c2b82f599e\n\n Submission ci241211033255.70c6e6daada64a188dd318c2b82f599e has been successfully received by ESG.\n\n Company Name: Auth Shell myrtle\n Core ID: ci241211033255.70c6e6daada64a188dd318c2b82f599e\n\tFile Type: SINGLE\n\tFile Count Received: 1\n\tFile Count Identified to be Received: 1\n\tTotal File Size: 88.00 KB\n\tOrigination Date/Time: 12/10/2024 23:32:55 ET\n\nNext Step: Submission to be delivered to HFP”, “created_by”: “4909”, “created_date”: “12-11-2024, 03:34:10” }, { “acknowledgement”: “ACK2”, “status”: “Submitted to Center”, “message”: “\n\n From: donotreply@fda.hhs.gov\n To: esgngtest1@gmail.com\n Subject: ESG Submission – ACK2 – Submitted to Center: ci241211033255.70c6e6daada64a188dd318c2b82f599e\n\n Submission ci241211033255.70c6e6daada64a188dd318c2b82f599e has been successfully submitted to HFP\n\n Company Name: Auth Shell myrtle\n\n\tCore ID: ci241211033255.70c6e6daada64a188dd318c2b82f599e\n\t File Type: SINGLE\n\tFile Count Received: 1\n\tFile Count Identified to be Received: 1\n\tTotal File Size: 88.00 KB\n\tOrigination Date/Time: 12/10/2024 23:32:55 ET\n\tCenter Receipt Date/Time: 12/10/2024 23:34:14 ET\n\nNext Step: HFP to review submission.”, “created_by”: “4909”, “created_date”: “12-11-2024, 03:34:17” } ], “esgngcode”: “ESGNG360”, “esgngdescription”: “Retrieved all acknowledgements for the given submission.” }

Documents / Resources

FDA ESG NEXTGEN App [pdf] User Guide ESG NEXTGEN App, App

References

• User Manual