> ## Documentation Index
> Fetch the complete documentation index at: https://docs.medisync.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Delete Notes

> Permanently delete a notes document by its ID

## Overview

Delete a notes document by its own ID. This performs a permanent (hard) deletion of the notes record.

<Warning>
  **Permanent deletion**: This operation permanently removes the notes document. It cannot be undone.
</Warning>

<Note>
  The path parameter is the **notes document ID**, not the appointment ID. Ownership is verified through the note's appointment: if the note belongs to an appointment owned by another doctor, the request returns `403 Forbidden` and nothing is deleted.
</Note>

## Authentication

<ParamField header="Authorization" type="string" required>
  Bearer token for authenticated access. The doctor (user) identity is taken from the JWT.

  ```
  Authorization: Bearer your_jwt_token_here
  ```
</ParamField>

A missing or invalid token returns `401` with a `message` field. See [Error Responses](#error-responses).

## Path Parameters

<ParamField path="id" type="string" required>
  Notes document ID (MongoDB ObjectId, 24 hex characters) to delete — **not** the appointment ID.
</ParamField>

## Response

<ResponseField name="success" type="boolean">
  Indicates whether the operation succeeded.
</ResponseField>

<ResponseField name="error" type="string">
  Error message (only present when `success` is `false`).
</ResponseField>

## Example Request

<RequestExample>
  ```bash cURL theme={null}
  curl -X DELETE \
    'https://app.medisync.me/api/notes/665f1c2a9b1e8a0012ab34cd' \
    -H 'Authorization: Bearer your_jwt_token_here'
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch(
    'https://app.medisync.me/api/notes/665f1c2a9b1e8a0012ab34cd',
    {
      method: 'DELETE',
      headers: {
        'Authorization': 'Bearer your_jwt_token_here'
      }
    }
  );

  const result = await response.json();
  ```

  ```python Python theme={null}
  import requests

  response = requests.delete(
      'https://app.medisync.me/api/notes/665f1c2a9b1e8a0012ab34cd',
      headers={
          'Authorization': 'Bearer your_jwt_token_here'
      }
  )

  result = response.json()
  ```
</RequestExample>

## Example Response

<ResponseExample>
  ```json Response theme={null}
  {
    "success": true
  }
  ```
</ResponseExample>

## Error Responses

<ResponseExample>
  ```json 401 Unauthorized (missing/invalid token) theme={null}
  {
    "success": false,
    "message": "Unauthorized"
  }
  ```

  ```json 401 Unauthorized (session revoked) theme={null}
  {
    "success": false,
    "message": "Session ended on this device because you signed in elsewhere.",
    "code": "SESSION_REVOKED"
  }
  ```

  ```json 403 Forbidden (note belongs to another doctor's appointment) theme={null}
  {
    "success": false,
    "error": "Forbidden"
  }
  ```

  ```json 400 Invalid id / server error theme={null}
  {
    "success": false,
    "error": "Cast to ObjectId failed for value \"xyz\" (type string) at path \"_id\" for model \"Notes\""
  }
  ```
</ResponseExample>

## Behavior Notes

* **Idempotent**: Deleting a notes document that does not exist (already gone) returns `200 { "success": true }`. There is no `404` for delete.
* **Ownership check**: If the note is found and its appointment is owned by a different doctor, the request returns `403 Forbidden` without deleting.
* **Hard delete**: Records are removed permanently. There is no soft delete and no cascade to associated appointments or other records.
* **400 responses**: Generic failures — such as a malformed ObjectId — are returned as `400` with the underlying error message in the `error` field.

## Status Codes

* **200** — Notes deleted, or already absent (idempotent).
* **400** — Invalid ID or server error.
* **401** — Missing, invalid, or revoked authentication token.
* **403** — Note belongs to an appointment owned by another doctor.
