Integration POV · April 2026

Refills Custom OMS ↔ Lorikeet — Integration POV & Discovery Plan

Prepared for Refills Health · April 2026

Refills is migrating off Bask to a custom OMS with open APIs. Lorikeet sits between patient channels and the OMS — resolving 70%+ of patient tickets without a human, while routing the rest cleanly. This document maps how the integration works, what we need from Refills to start, and what the rollout looks like.

Sourced from: April 20 discovery call (Ryan × Harrison × Matt) and April 23 demo call (Steve, Ryan, Nate × Harrison, Matt, Mansoor, Eric, Omar).

At a glance
  • Shape of the integration. The custom OMS is the system of record. Lorikeet spans it — receiving patient conversations from in-app messenger and email, reading what it needs from the OMS (patient profiles, orders, prescriptions, dosing schedules), and either resolving the ticket or escalating cleanly. During migration, Lorikeet also reads from Bask and Telegra for patients still on those platforms.
  • Custom OMS has open APIs. The team owns and hosts the database. APIs are under active development, which means we can co-design the surface Lorikeet needs. This is a strength — we can request the exact endpoints and response shapes that make workflows efficient, rather than working around a third-party's limitations.
  • Two telehealth platforms, one agent. Some patients are on Bask, others on Telegra. Lorikeet's workflow layer handles the routing — identify which platform the patient is on, call the right API, present a unified experience. The patient never knows the difference.
  • Channel consolidation is a goal. Refills wants to move off Gorgeous and centralise everything — chat, email, ticketing — under one roof. Lorikeet's chat widget and native ticketing can replace both Gorgeous and the existing FAQ bot (MyAsk AI).
  • Phase 1 targets four use cases. Order status, subscription management (date changes, cancellations), dosage change requests, and issue reporting (damaged medication, reshipments). These cover ~60% of ticket volume.

1 · Architecture POV

The custom OMS is the system of record. Lorikeet is the agent that sits between patients and the OMS.

Patient channels ├── In-app messenger (70% of volume) ├── Email via Gorgeous (30% of volume) └── Lorikeet chat widget (future — replaces both) │ ▼ Lorikeet (AI Agent) │ │ │ ▼ ▼ ▼ Custom OMS Bask API Telegra API (primary) (legacy) (secondary) │ ├── Patient profiles, orders, prescriptions ├── Dosing schedules, titration status ├── Shipping & fulfillment └── Stripe (billing via OMS)

What this means for scope:

  • Custom OMS owns patient data, orders, prescriptions, and dosing schedules. Lorikeet reads the OMS to answer questions and writes to it to take actions (reschedule shipments, submit dosage review requests, process reshipments). Since Refills owns this system, we can co-design the API surface for optimal Lorikeet consumption.
  • Bask and Telegra are the underlying telehealth platforms that manage clinical workflows, pharmacy fulfillment, and provider networks. During migration, some patients still live in these systems. Lorikeet routes to the right platform per-patient.
  • Gorgeous is the current email ticketing system. In Phase 1, Lorikeet integrates with Gorgeous as an agent seat. In Phase 2, Lorikeet's native ticketing replaces Gorgeous entirely.
  • Stripe sits behind the OMS for billing. Lorikeet accesses it through the OMS API layer — no direct Stripe integration needed unless the OMS doesn't expose billing endpoints.

Why this framing lowers delivery risk:

  1. The custom OMS with open APIs means no third-party API gatekeeping — we can move at Refills' engineering velocity, not a vendor's.
  2. Channel consolidation into Lorikeet eliminates the current problem of duplicate tickets across messenger and Gorgeous.
  3. Phase 1 is read-heavy. Most workflows need to read patient data and present it. The only writes are shipping date changes and reshipment requests — well-scoped, reversible actions.

2 · Integration approach

Three integration surfaces, prioritised by patient volume and action frequency.

A. Custom OMS (primary — all patients)

API typeREST (open, Refills-owned). Refills controls the schema, endpoints, and rate limits. We can request the exact shape we need.
AuthTBD — likely API key or OAuth 2.0 depending on what's already in place. Since Refills hosts the database, we can align on whichever pattern is simplest to provision.
Data we needPatient profiles, order history and status, prescription details (medication, dose, titration step, next injection date), shipping/fulfillment status, subscription state (active, paused, cancelled), provider notes on dosing decisions.
Actions we needReschedule shipment date, cancel subscription, pause subscription, flag medication issue, submit dosage review request to provider, create internal notes, process reshipment (with guardrails).
What may not exist yetHarrison noted that some actions (e.g., "change your shipping date") aren't built into the OMS yet. We crawl-walk-run — start with the endpoints that exist, add more as Refills builds them.

B. Bask Health (legacy patients)

API typeREST API with FHIR compliance. Bask provides RESTful endpoints with JSON responses. Full documentation is gated behind account access.
AuthAPI key-based (BASK_PUBLIC_KEY / BASK_SECRET_KEY). Test mode and live mode keys available.
Data surfacePatient management, order status (Pending → Sent to Pharmacy → Shipped → Delivered), prescription details, pharmacy fulfillment.
Known constraintsMatt and Harrison described Bask as a "closed loop" with limited webhook support and no raw database access. API capabilities may be plan-dependent. We should validate actual endpoint availability against Refills' specific Bask account tier.
Migration contextRefills is actively migrating patients off Bask. This integration is a bridge — it shrinks over time as patients move to the custom OMS.

C. Telegra MD (secondary patients)

API typeREST API with webhook support. Documentation available at documentation.telegramd.com and via Postman collection.
AuthTBD — likely API key or bearer token. Specific auth model not publicly documented.
Data surfacePatient records, consultations (sync and async), prescriptions, pharmacy fulfillment (11 compounding pharmacies).
Known constraintsLess mature API documentation than Bask. May require direct coordination with Telegra's engineering team for full endpoint access.
Key engineering question for Mansoor: Does the custom OMS already abstract patient data from Bask and Telegra, or does Lorikeet need to call each platform's API independently? If the OMS proxies reads from both platforms, the integration collapses to a single API surface — significantly simpler.

3 · Worked example — a patient requests a dosage change

This is the hardest ticket in Refills' queue and the one Harrison flagged as highest-value. Here's how Lorikeet handles it end-to-end.

Patient (in-app messenger) Lorikeet Custom OMS Provider │ │ │ │ │ "I want to get bumped to the │ │ │ │ highest dose, not seeing results" │ │ │ │ ──────────────────────────────────────> │ │ │ │ │ GET /patients/{id} │ │ │ │ ─────────────────────────> │ │ │ │ Patient profile, │ │ │ │ current Rx, titration │ │ │ │ <───────────────────────── │ │ │ │ │ │ │ │ GET /patients/{id}/ │ │ │ │ prescriptions/current │ │ │ │ ─────────────────────────> │ │ │ │ Dose: 7.5mg (step 4/6) │ │ │ │ Last injection: Apr 16 │ │ │ │ Next scheduled: May 14 │ │ │ │ Provider note: "Do not │ │ │ │ exceed 7.5mg — patient │ │ │ │ reported dizziness at │ │ │ │ intake" │ │ │ │ <───────────────────────── │ │ │ │ │ │ │ [Guardrail check: │ │ │ Provider has capped dose. │ │ │ Cannot auto-approve increase. │ │ │ Must escalate to provider.] │ │ │ │ │ │ │ "I understand you'd like to move │ │ │ │ to a higher dose. Looking at your │ │ │ │ file, Dr. Mitchell noted 7.5mg as │ │ │ │ your current ceiling due to the │ │ │ │ dizziness you reported. I've │ │ │ │ submitted a review request to │ │ │ │ Dr. Mitchell — you should hear │ │ │ │ back within 24 hours." │ │ │ │ <────────────────────────────────────── │ │ │ │ │ POST /dosage-reviews │ │ │ │ { patient_id, requested │ │ │ │ dose, reason } │ │ │ │ ─────────────────────────> │ ─────────────────────> │ │ │ │ Provider notified │ │ │ POST /internal-notes │ │ │ │ { ticket context } │ │ │ │ ─────────────────────────> │ │

What this illustrates:

  • Clinical safety is non-negotiable. The provider set a dosing cap. Lorikeet respects it. No amount of patient pushback changes the agent's behavior — the guardrail is deterministic, not a suggestion.
  • The agent explains why, not just no. "Dr. Mitchell noted 7.5mg as your current ceiling due to the dizziness you reported" is more helpful than "I can't do that." It acknowledges the patient's frustration while holding the clinical line.
  • Escalation to the provider is automated. Today this involves an agent switching between the CRM, a separate messaging tool, and possibly Slack to reach the doctor. Lorikeet does it in one API call.
  • The whole thing takes seconds. A human agent spends 10-15 minutes on this. Lorikeet resolves it in the span of a conversation.

Omar flagged that the current AI is "over empathetic — it makes things a lot worse when somebody is frustrated." Lorikeet's approach is calibrated: empathetic enough to acknowledge the patient's position, firm enough to not waver on clinical guidance. And critically, it can't be socially engineered into changing its instructions the way a human sometimes can.

4 · Data surface coverage

These are the data domains Lorikeet needs from the custom OMS to power the four target workflows. Reads are required for Phase 1; writes are phased and individually gated.

DomainReadWriteUse in Phase 1
Patient profileIdentity verification (email match), patient context for all workflows
OrdersOrder status lookup, tracking number, carrier, shipment date
PrescriptionsCurrent medication, dose, titration step, provider notes on dosing
Dosing scheduleLast injection date, next scheduled dose, titration timeline (step X of Y)
Shipping / fulfillmentRead: delivery status, carrier info. Write: reschedule shipment date
SubscriptionRead: subscription state, next billing date. Write: pause, cancel, date change
Provider notesRead-only — dosing caps, clinical context. Never write clinical notes from an LLM.
Medication issuesCreate issue report (cloudy vial, temperature, damage). Trigger reshipment with guardrails.
Dosage reviewsSubmit dosage change request to provider. No auto-approval — human-in-loop.
Internal notesLog Lorikeet actions and conversation context for audit trail.
Billing (via Stripe)Phase 2Read: payment status, last charge, next billing. Write deferred to Phase 2.
Harrison noted: "There are certain things we don't do today — that shipping date change, we don't have that functionality in our system yet." This is expected. We start with the endpoints that exist and add more as the OMS evolves. The Lorikeet workflow is ready before the endpoint is — we just enable the action when the API is built.

5 · Multi-platform routing (Bask + Telegra)

Matt asked directly: "Can we also integrate two platforms? Some of our customers are on Bask, some on Telegra. Is your platform dynamic enough to pull into both?"

Yes. Here's the routing pattern:

Patient contacts Lorikeet │ ▼ Identify patient (email / ID) │ ▼ ┌──────────────────────────────────┐ │ Which platform is this patient │ │ on? │ │ │ │ Custom OMS lookup: │ │ patient.platform = ? │ └──────────┬───────────────────────┘ │ ┌─────────┼─────────┐ ▼ ▼ ▼ Custom Bask Telegra OMS API API │ │ │ └─────────┼─────────┘ │ ▼ Unified response to patient (same tone, same resolution)

How this works in practice:

  • The OMS is the identity layer. Every patient has a record in the custom OMS, even if their clinical data lives in Bask or Telegra. The OMS record tells Lorikeet which platform to query for the clinical details.
  • Tool definitions are per-platform. Lorikeet's tool layer handles the mapping: "get order status" resolves to a different API call depending on whether the patient is Bask or Telegra, but the workflow logic is the same.
  • This pattern is not new for us. Steve described it on the call: "We build a bundle of logic that first finds the right system for the right patient and then goes and gets the information for that system." We run this pattern in production for multiple subscribers with fragmented backends.

Important scoping question: Does the custom OMS already proxy data from Bask and Telegra? If so, Lorikeet only ever needs one API surface. If not, we integrate with all three independently — more work upfront but still well within the pattern we run today.

6 · Phased rollout plan

Phase 0 — Pre-work (parallel with kickoff)

  • BAA signed (HIPAA compliance, PHI handling agreement).
  • OMS API documentation shared — or a live walkthrough of existing endpoints with Mansoor's team.
  • Bask and Telegra API credentials provisioned for Lorikeet's test environment.
  • Technical contact named on each side: OMS API owner (Mansoor or delegate), Lorikeet FDE.
  • Sample ticket data — real ticket shapes (redacted) so we design workflows against actual patient language, not hypotheticals.
  • Gorgeous API key or Connected App provisioned for Phase 1 email integration.

Phase 1 — Core four workflows + Gorgeous integration

Goal: Lorikeet resolves the four highest-volume ticket types end-to-end.

  • Order status lookup. Read order, shipping, and tracking info from OMS. Low complexity, high volume.
  • Subscription management. Date changes, pauses, cancellations. Read + write against OMS subscription endpoints.
  • Dosage change requests. Read prescription and dosing schedule. Apply clinical guardrails. Submit review request to provider. Human-in-loop on all dosage actions.
  • Issue reporting. Damaged/cloudy medication. Create issue report. Trigger reshipment with guardrails (max 1 per customer before escalation).
  • Channel: Lorikeet integrates with Gorgeous as an agent seat for email. In-app messenger routes to Lorikeet via SDK or API.
  • Escalation: Tickets Lorikeet can't handle go to the human queue in Gorgeous. No change to human agent workflow.

Success metric: 50-70% resolution rate on the four target workflows. Measured by tickets fully resolved without human intervention.

Phase 2 — Channel consolidation + expanded actions

  • Replace Gorgeous with Lorikeet's native ticketing. Email intake directly into Lorikeet. Eliminates duplicate tickets across messenger and email.
  • Lorikeet chat widget replaces MyAsk AI and the in-app messenger. Single widget, single system of record.
  • Billing actions: refunds, payment method updates, plan changes (via OMS + Stripe).
  • Retention workflows: when a patient wants to cancel, Lorikeet triages the reason and either resolves or routes to a retention specialist.
  • Reshipment guardrails tightened: based on Phase 1 data, move from human-in-loop to Lorikeet-managed with hard limits (Matt's concern about gaming).

Phase 3 — Proactive outbound + sales

  • Check-in calls. Outbound voice or SMS for the 3-month questionnaire Harrison mentioned. AI handles the nine questions, flags issues, routes complex cases to a human.
  • Re-engagement campaigns. Contact lapsed patients, identify reason for drop-off, offer tailored re-engagement (not blast discounts — Steve's point).
  • Lead qualification. AI triages inbound interest, qualifies against eligibility criteria, routes hot leads to the sales team.
  • Promotional awareness. When marketing runs a promotion, Lorikeet knows about it and can answer questions or apply offers — solving Harrison's concern about CX being out of sync with marketing.

7 · Telehealth guardrails we bring by default

These aren't bespoke for Refills — they're how we deploy anything touching patient data and prescription medication.

  1. No clinical advice. Lorikeet does not recommend dosages, diagnose symptoms, or suggest treatment changes. Any clinical question escalates to a human or routes to the provider. This is a hard boundary, not a prompt instruction.
  2. Dosing caps are law. If a provider has set a dosing ceiling, Lorikeet cannot override it regardless of patient pressure. The guardrail reads the provider note and enforces it deterministically.
  3. Reshipment fraud protection. Matt flagged the gaming risk: "If it's AI, they just automatically do the process." Our approach: hard limit on reshipments per patient (e.g., one per 90-day cycle). Beyond that, escalate to human. Lorikeet checks history before actioning — not after.
  4. Discount and pricing guardrails. Harrison flagged: "I could see people switching pricing, giving a 30% discount, but having a threshold of $169 — do not go below that." Lorikeet enforces price floors and discount ceilings as deterministic guardrails, not AI judgment calls.
  5. PHI minimisation. Only the fields a workflow actually needs are passed to the LLM context. Full patient charts are never surfaced. Audit trail of every field accessed.
  6. Patient identity verification. Email match (current method) before any data is surfaced. Can upgrade to DOB, verification code, or multi-factor based on Refills' preference.
  7. Message checks. Inbound patient messages are scanned for self-harm language, medical emergency indicators, and threats. These bypass all workflows and escalate immediately.
  8. Concierge checks. Before Lorikeet sends any response, a deterministic layer reviews it for: medical claims, dosing recommendations, off-label suggestions, and tone calibration (Omar's concern about being "over empathetic").
  9. AI-generated attribution. Every Lorikeet action is tagged and logged. For audit, compliance, and QA. Matches what we do for all regulated subscribers.

8 · Discovery questions for kickoff

What we'd want to resolve together on the first integration call, grouped by who'd typically answer each.

For Mansoor (CTO) / OMS engineering team

  1. What API endpoints exist today on the custom OMS? Is there an OpenAPI spec or Postman collection we can review?
  2. Does the OMS already abstract data from Bask and Telegra, or are those separate systems Lorikeet would need to call independently?
  3. Auth model for the OMS API — API key, OAuth 2.0, or something else?
  4. Which of the four target actions (shipping date change, subscription cancel/pause, dosage review submission, reshipment) have working API endpoints today? Which need to be built?
  5. What downstream systems are affected when Lorikeet takes an action? (e.g., changing a shipment date — does that hit pharmacy, logistics, billing?)
  6. Rate limits, environments (staging/sandbox?), and data freshness expectations?
  7. Bask account tier — do you have full API access or just webhooks? Can we get API credentials for testing?
  8. Telegra API access — same question. Credentials and documentation for testing?

For Harrison / Omar (CX operations)

  1. Walk us through the current human workflow for a dosage change request — every system touched, every handoff, every decision point.
  2. Same for a reshipment — what's the approval process today? Who decides?
  3. What's the current escalation path when an agent can't resolve? Slack, internal ticket, direct message to provider?
  4. Authentication — email verification is current. Do you want to change that? (e.g., DOB check, verification code)
  5. What does "good" look like for tone? Omar mentioned the current AI is over-empathetic. Can you share examples of great human responses we should model?
  6. Always-escalate scenarios — beyond medical emergencies, what should always go to a human? (e.g., legal threats, VIP patients, specific complaint types)
  7. Gorgeous workflow — current email routing rules, tags, assignment logic?

For Matt / Eric (business)

  1. Reshipment policy — what's the hard limit? One per X days? Dollar threshold? Do you want human-in-loop for all reshipments in Phase 1?
  2. Discount and pricing guardrails — what's the minimum price floor? What promotions is Lorikeet allowed to offer vs. escalate?
  3. Retention script — when a patient wants to cancel, what's the ideal save flow? Offer alternatives, or just process?
  4. Success definition — is it resolution rate? Cost reduction? CSAT? Agent time freed up? All of the above?

For compliance / security

  1. BAA status — ready to sign?
  2. PHI handling standards — any requirements beyond HIPAA baseline (state-level, payer contracts)?
  3. SOC 2 / HITRUST expectations?
  4. Is there an internal security review gate? Surfacing this early prevents it becoming a go-live blocker.
  5. Data residency requirements?

9 · Proposed next step
  1. Integration scoping call (60-90 minutes) with: Mansoor + OMS engineering, Harrison + Omar from CX, and a compliance representative if available. Lorikeet side: Forward-deployed engineer and product manager.
  2. Pre-read: This document, plus whatever OMS API documentation Mansoor can share in advance (his request: "Send it ahead of time so we can gather those responses").
  3. Agenda: Walk through the discovery questions. Leave with a clear picture of what endpoints exist, what needs to be built, and a Phase 1 scope both sides agree on.
  4. Output: A Phase 1 statement of work with named workflows, named API endpoints, named success metrics, and a target go-live date.

The two things that most accelerate launch:

  • OMS API access (even a partial spec or Postman collection) so we can start mapping tools.
  • A signed BAA so we can work with real ticket shapes instead of synthetic data.

Mansoor's ask was clear: "The most important thing is cost as well as the timeline. We want to know before we actually do anything." The scoping call gives us what we need to provide both with confidence.

Prepared for Refills Health · April 2026 · Lorikeet