Authentication

The VisitNote API uses JWT (JSON Web Token) Bearer tokens for authentication. After signing in, include the token in the Authorization header of every authenticated request.

Obtaining a Token

Call the sign-in endpoint with your email and password:

POST /api/therapist/v1/sign-in
Content-Type: application/json

{
  "email": "clinician@example.com",
  "password": "your_password"
}

The response includes your JWT token:

{
  "status": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "loginData": {
      "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "first_name": "Jane",
      "last_name": "Smith",
      "email": "clinician@example.com",
      "subscription_status": "active"
    }
  }
}

Using the Token

Include the token in the Authorization header for all authenticated requests:

GET /api/therapist/v1/my-profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Accept: application/json

Token Expiration

JWT tokens expire after a server-configured duration. When a token expires, the API returns a 401 Unauthorized response. Your application should handle this by:

  • Detecting the 401 status code
  • Prompting the user to sign in again
  • Clearing any locally stored tokens

Social Authentication

The API supports Google and Apple sign-in. Send the OAuth ID token from the provider:

POST /api/therapist/v1/sign-in/social
Content-Type: application/json

{
  "provider": "google",
  "id_token": "eyJhbGci...",
  "email": "clinician@gmail.com",
  "first_name": "Jane",
  "last_name": "Smith"
}

The response format is identical to email/password sign-in. For new social accounts, use /register/social instead.

Token Panel

The VisitNote platform supports multiple user types (clinician, patient, admin). API tokens are scoped to a panel. For the clinician API, all tokens are issued with token_panel: "therapist". This is handled automatically during sign-in.

Security Best Practices

  • Store tokens securely (encrypted storage, HTTP-only cookies, or platform keychain)
  • Never expose tokens in URLs or client-side JavaScript source code
  • Implement automatic token refresh or re-authentication on 401 responses
  • Call POST /logout to invalidate tokens when signing out
  • All API communication must use HTTPS (TLS 1.2+)

HIPAA Compliance

The VisitNote API handles Protected Health Information (PHI). All data is encrypted at rest (AES-256) and in transit (TLS). Organizations requiring a Business Associate Agreement (BAA) should contact us.