session JWT
End-user requests from a clinician or admin. Issued by the identity provider on sign-in. Header
Authorization: Bearer <jwt>.Developer API Key
Server-to-server, scoped to a project. Issued by the Console. Header
X-API-Key: <key>.Internal service key
AI Services ↔ Backend proxy. Header
X-Service-Key: <key>. Internal use only.Four-layer defense Every PHI-touching request is validated through four layers:
1
Authentication
authenticateToken (session JWT) or authenticateApiKey (Developer API Key).2
Tenant context
setTenantContext injects organization_id into the managed Postgres session via SET LOCAL app.current_organization_id = '...'.3
PHI audit logging
phiAuditMiddleware writes a hash-chained event per HIPAA §164.312(b).4
Purpose-based access
purposeBasedAccess(resource,...purposes) restricts the request to the allowed purposes: TREATMENT, PAYMENT, OPERATIONS, EMERGENCY.API key scopes
Subscription gating
For agent / intake / therapy / copilot endpoints, the middleware stack also runsrequireActiveSubscription and checkAgentLimit against the tenant’s payment processor subscription state.
Rate limits
What’s next
Quickstart
Get a token in 60 seconds.
Creating Clients
Generate Developer API Keys.
Environments & Tenants
Sandbox, staging, production.
Security Best Practices
Five rules for credentials.