Authentication
All API requests must be authenticated using API keys. We support secret keys with fine-grained scopes for server-side integrations.
Never expose your secret API key in client-side code. Keep your secret key on the server and use short-lived tokens in the browser when needed.
API Keys
Use your secret key on the server only. Never expose it in client-side code or public repositories.
Bearer Token
Pass your secret key in the Authorization header as a Bearer token on every request.
Authorization headerbash
curl https://api.vcaremd.com/v1/patients \
-H "Authorization: Bearer sk_test_your_secret_key" \
-H "Content-Type: application/json"Scopes & Permissions
Keys can be restricted to read or write scopes per resource type.
patients:readRead-only access to patient recordspatients:writeCreate and update patient recordsappointments:readRead appointment schedulesbilling:writeSubmit claims and billing eventsPublishable Key
pk_test_••••••••••Safe for client-side tokenization only.
Secret Key
sk_test_••••••••••Full API access. Server-side only.