Skip to main content
Medera supports three credential types, each scoped to a tenant (organization) and an environment.
https://mintcdn.com/medera-357fd587/n1mgcc3nR2sq_PoL/icons/ui/user.svg?fit=max&auto=format&n=n1mgcc3nR2sq_PoL&q=85&s=72a09e55fdd461ad74c120bd96cdf1c3

session JWT

End-user requests from a clinician or admin. Issued by the identity provider on sign-in. Header Authorization: Bearer <jwt>.
https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/key.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=4ef54e51baa6c73498065cb90a8834ff

Developer API Key

Server-to-server, scoped to a project. Issued by the Console. Header X-API-Key: <key>.
https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/server.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=419656a675042e606aca235afc5f7e5c

Internal service key

AI Services ↔ Backend proxy. Header X-Service-Key: <key>. Internal use only.

Four-layer defense Every PHI-touching request is validated through four layers:

1

Authentication

authenticateToken (session JWT) or authenticateApiKey (Developer API Key).
2

Tenant context

setTenantContext injects organization_id into the managed Postgres session via SET LOCAL app.current_organization_id = '...'.
3

PHI audit logging

phiAuditMiddleware writes a hash-chained event per HIPAA §164.312(b).
4

Purpose-based access

purposeBasedAccess(resource,...purposes) restricts the request to the allowed purposes: TREATMENT, PAYMENT, OPERATIONS, EMERGENCY.

API key scopes

Subscription gating

For agent / intake / therapy / copilot endpoints, the middleware stack also runs requireActiveSubscription and checkAgentLimit against the tenant’s payment processor subscription state.

Rate limits


What’s next

https://mintcdn.com/medera-357fd587/n1mgcc3nR2sq_PoL/icons/ui/zap.svg?fit=max&auto=format&n=n1mgcc3nR2sq_PoL&q=85&s=279c57d41af922abbba25c4afddfc3fe

Quickstart

Get a token in 60 seconds.
https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/key.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=4ef54e51baa6c73498065cb90a8834ff

Creating Clients

Generate Developer API Keys.
https://mintcdn.com/medera-357fd587/iC-6rAuwl-0aQSw_/icons/ui/server.svg?fit=max&auto=format&n=iC-6rAuwl-0aQSw_&q=85&s=419656a675042e606aca235afc5f7e5c

Environments & Tenants

Sandbox, staging, production.
https://mintcdn.com/medera-357fd587/n1mgcc3nR2sq_PoL/icons/ui/shield-check.svg?fit=max&auto=format&n=n1mgcc3nR2sq_PoL&q=85&s=6909d120dcab3cdfef838294f042d00c

Security Best Practices

Five rules for credentials.