Authentication
The MediLoop API uses API keys to authenticate requests. You can view and manage your API keys in the Developer Portal.
API Keys
There are two types of API keys:
| Key Type | Prefix | Description |
|---|---|---|
| Test | sk_test_ | For sandbox environment testing |
| Live | sk_live_ | For production environment |
Obtaining API Keys
- Sign up at developers.mediloop.co
- Create an application
- Generate API keys from the dashboard
Making Authenticated Requests
Include your API key in the Authorization header using Bearer authentication:
Authenticated Request
bash
curl https://api.mediloop.co/api/v1/patients \
-H "Authorization: Bearer sk_test_51RHO58...T100WQd9N1qn" \
-H "Content-Type: application/json"RESPONSE200
{
"object": "list",
"url": "/api/v1/patients",
"has_more": false,
"data": [
{
"id": "pat_1234567890",
"object": "patient",
"uhid": "UG123456789A"
}
]
}Request Headers
Headers
AuthorizationstringrequiredBearer token with your API key
Content-Typestringrequiredapplication/json (for POST/PUT requests)
X-Request-IdstringoptionalCustom request ID for tracking
X-Idempotency-KeystringoptionalIdempotency key for safe retries
API Key Security
Your API keys carry many privileges, so be sure to keep them secure:
- Never expose keys in client-side code - API keys should only be used server-side
- Don't commit keys to version control - Use environment variables
- Rotate keys regularly - Generate new keys periodically
- Use restricted keys - Create keys with limited permissions when possible
Key Rotation
You can roll your API keys at any time from the Developer Portal:
- Navigate to API Keys
- Click "Roll Key" on the key you want to rotate
- The old key will be invalidated after 24 hours
Restricted Keys
For enhanced security, you can create restricted API keys with specific permissions:
{
"name": "Read-only Patient Access",
"permissions": {
"patients": ["read"],
"encounters": ["read"],
"observations": ["read"]
}
}| Resource | Permissions |
|---|---|
patients | read, write, delete |
encounters | read, write |
observations | read, write |
prescriptions | read, write |
diagnoses | read, write |
appointments | read, write, delete |
ai | read, write |
Error Responses
Authentication errors return a 401 Unauthorized status:
RESPONSE401
{
"error": {
"code": "authentication_error",
"message": "Invalid API key provided",
"type": "invalid_request_error"
}
}| Error Code | Description |
|---|---|
authentication_error | Invalid or missing API key |
api_key_expired | API key has expired |
api_key_revoked | API key has been revoked |
insufficient_permissions | Key lacks required permissions |