Getting Started

Access Control

How API access is scoped across clinics, partners, and admins.

Access control is tenant-first. API requests are evaluated against organization, clinic, partner-account, role, and resource ownership boundaries before returning data.

  • Partner endpoints operate inside a partner account boundary.
  • Clinic endpoints operate inside a selected clinic or organization boundary.
  • Admin endpoints are internal and should not be exposed to external partners.