Medera supports three credential types, each scoped to a tenant (organization) and an environment.Documentation Index
Fetch the complete documentation index at: https://docs.medera.info/llms.txt
Use this file to discover all available pages before exploring further.
| Credential | Use case | Issued by | Header |
|---|---|---|---|
| Clerk JWT | End-user requests (clinician, admin) | Clerk | Authorization: Bearer <jwt> |
| Developer API Key | Server-to-server, scoped to a project | Medera Console | X-API-Key: <key> (or Bearer) |
| Internal service key | AI service ↔ backend proxy auth | Console (admin-only) | X-Service-Key: <key> |
- Authentication —
authenticateToken(Clerk JWT) orauthenticateApiKey(Developer API Key) - Tenant context —
setTenantContextinjectsorganization_idinto the PostgreSQL session viaapp.current_organization_id - PHI audit logging —
phiAuditMiddlewarewrites a hash-chained event per HIPAA §164.312(b) - Purpose-based access —
purposeBasedAccess(resource, ...purposes)restricts the request to the allowed purposes:TREATMENT,PAYMENT,OPERATIONS,EMERGENCY
Subscription gating
For agent / intake / therapy / copilot endpoints, the middleware stack also runsrequireActiveSubscription and checkAgentLimit against the tenant’s Stripe subscription state.
Rate limits
| Endpoint family | Production | Dev / staging |
|---|---|---|
| Read endpoints | 100 req / min | 10,000 req / min |
| Write endpoints | 20 req / min | 10,000 req / min |
Auth (/login, /register, /forgot-password) | 10 req / 15 min | 10 req / 15 min |
/api/intake/start-batch-call | 10 req / min | 10 req / min |
What’s next
Quickstart
Exchange credentials for a token.
Creating clients
Generate developer API keys.
Environments & Tenants
Sandbox, staging, production.
Security Best Practices
Keep credentials safe.