> ## Documentation Index
> Fetch the complete documentation index at: https://docs.medera.info/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control

> Identity, scopes, and purpose-based access

Medera enforces three layers of access control: 1. **Authentication** — OAuth 2.0 client credentials or session JWT
2\. **Scope** — token-level scopes (e.g. `patients:read`)
3\. **Purpose-based access** — the `purpose` claim restricts what records the actor can access (treatment, payment, operations) Combined with tenant context and RLS, this forms a four-layer defense for every PHI access.
