Skip to main content

Access Controls

API access: team-scoped credentials

Every API request authenticates with a team-specific X-API-KEY / X-API-SECRET pair. There is no broader "organization" credential and no OAuth token that spans multiple teams, a given key/secret pair can only see and modify data that belongs to its Team. See Authentication for the mechanics and Team & Organization for the tenancy model this enforces.

Team scoping is the isolation boundary

If you operate multiple practice locations as separate Teams, a leaked key for one team does not expose another team's Patients. Rotate and store each team's X-API-SECRET independently.