vcaremd
GuidesAPI Reference
Guides
API StatusOperational
  • Overview
  • Authentication
  • Quickstart
  • Rate Limits
  • Idempotency
  • Pagination
  • Error Handling
  • Versioning
  • API Keys
  • Webhooks Security
  • IP Allowlisting
API StatusOperational
  • Overview
  • Authentication
  • Quickstart
  • Rate Limits
  • Idempotency
  • Pagination
  • Error Handling
  • Versioning
  • API Keys
  • Webhooks Security
  • IP Allowlisting
  1. Docs
  2. Getting Started
  3. Authentication

Authentication

All API requests must be authenticated using API keys. We support secret keys with fine-grained scopes for server-side integrations.

Never expose your secret API key in client-side code. Keep your secret key on the server and use short-lived tokens in the browser when needed.

API Keys

Use your secret key on the server only. Never expose it in client-side code or public repositories.

Bearer Token

Pass your secret key in the Authorization header as a Bearer token on every request.

Authorization headerbash
curl https://api.vcaremd.com/v1/patients \
  -H "Authorization: Bearer sk_test_your_secret_key" \
  -H "Content-Type: application/json"

Scopes & Permissions

Keys can be restricted to read or write scopes per resource type.

patients:readRead-only access to patient records
patients:writeCreate and update patient records
appointments:readRead appointment schedules
billing:writeSubmit claims and billing events
Publishable Key
pk_test_••••••••••

Safe for client-side tokenization only.

Secret Key
sk_test_••••••••••

Full API access. Server-side only.

Quickstart