> ## Documentation Index
> Fetch the complete documentation index at: https://docs.medisync.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Update Notes

> Update the notes stored for an appointment

## Overview

Update the notes for a specific appointment. The endpoint locates the appointment by ID, then updates the notes document associated with it. All body fields are optional.

<Note>
  This operation is scoped to the owning doctor. The appointment identified by `{id}` must belong to the authenticated user. A request for an appointment you do not own returns `403 Forbidden`, an unknown appointment returns `404 Appointment not found`, and an appointment that has no notes yet returns `404 Notes not found`.
</Note>

## Authentication

<ParamField header="Authorization" type="string" required>
  Bearer token for authenticated access. The doctor (user) identity is taken from the JWT.

  ```
  Authorization: Bearer your_jwt_token_here
  ```
</ParamField>

A missing or invalid token returns `401` with a `message` field. See [Error Responses](#error-responses).

## Path Parameters

<ParamField path="id" type="string" required>
  Appointment ID (MongoDB ObjectId, 24 hex characters) whose notes to update. Must be owned by the authenticated doctor.
</ParamField>

## Body Parameters

<ParamField body="notes" type="string">
  Notes content to set. Omitting the field (or sending an empty string) keeps the existing value — an empty value does not clear the field. Markdown asterisks are stripped server-side before storage.
</ParamField>

<ParamField body="summary" type="string">
  Summary to set. Omitting the field (or sending an empty string) keeps the existing value.
</ParamField>

<ParamField body="appointment_id" type="string">
  Optional override for the stored `appointment_id`. Keeps the existing value when omitted.
</ParamField>

## Response

<ResponseField name="success" type="boolean">
  Indicates whether the operation succeeded.
</ResponseField>

<ResponseField name="data" type="object">
  The updated notes document.

  <Expandable title="data properties">
    <ResponseField name="_id" type="string">
      Unique identifier for the notes document (MongoDB ObjectId).
    </ResponseField>

    <ResponseField name="appointment_id" type="string">
      The appointment ID these notes belong to.
    </ResponseField>

    <ResponseField name="notes" type="string">
      The clinical notes content.
    </ResponseField>

    <ResponseField name="summary" type="string">
      Summary of the notes.
    </ResponseField>

    <ResponseField name="citations" type="array">
      Citation objects, or `null` when none are present.
    </ResponseField>

    <ResponseField name="createdAt" type="string">
      ISO 8601 timestamp when the notes were created.
    </ResponseField>

    <ResponseField name="updatedAt" type="string">
      ISO 8601 timestamp when the notes were last updated.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="error" type="string">
  Error message (only present when `success` is `false`).
</ResponseField>

<Note>
  The `data` object is the full saved notes document and may contain additional fields beyond those listed above. Treat any unlisted fields as opaque.
</Note>

## Example Request

<RequestExample>
  ```bash cURL theme={null}
  curl -X PUT \
    'https://app.medisync.me/api/notes/664e0b1f7c2a5e0011fa9911' \
    -H 'Authorization: Bearer your_jwt_token_here' \
    -H 'Content-Type: application/json' \
    -d '{
      "notes": "Updated notes: symptoms improved, EKG normal, continue treatment.",
      "summary": "Improved symptoms, normal EKG, continue treatment"
    }'
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch(
    'https://app.medisync.me/api/notes/664e0b1f7c2a5e0011fa9911',
    {
      method: 'PUT',
      headers: {
        'Authorization': 'Bearer your_jwt_token_here',
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        notes: 'Updated notes: symptoms improved, EKG normal, continue treatment.',
        summary: 'Improved symptoms, normal EKG, continue treatment'
      })
    }
  );

  const result = await response.json();
  ```

  ```python Python theme={null}
  import requests

  response = requests.put(
      'https://app.medisync.me/api/notes/664e0b1f7c2a5e0011fa9911',
      headers={
          'Authorization': 'Bearer your_jwt_token_here',
          'Content-Type': 'application/json'
      },
      json={
          'notes': 'Updated notes: symptoms improved, EKG normal, continue treatment.',
          'summary': 'Improved symptoms, normal EKG, continue treatment'
      }
  )

  result = response.json()
  ```
</RequestExample>

## Example Response

<ResponseExample>
  ```json Response theme={null}
  {
    "success": true,
    "data": {
      "_id": "665f1c2a9b1e8a0012ab34cd",
      "appointment_id": "664e0b1f7c2a5e0011fa9911",
      "notes": "Updated notes: symptoms improved, EKG normal, continue treatment.",
      "summary": "Improved symptoms, normal EKG, continue treatment",
      "citations": null,
      "createdAt": "2026-06-30T10:30:00.000Z",
      "updatedAt": "2026-06-30T14:20:00.000Z"
    }
  }
  ```
</ResponseExample>

## Error Responses

<ResponseExample>
  ```json 401 Unauthorized (missing/invalid token) theme={null}
  {
    "success": false,
    "message": "Unauthorized"
  }
  ```

  ```json 401 Unauthorized (session revoked) theme={null}
  {
    "success": false,
    "message": "Session ended on this device because you signed in elsewhere.",
    "code": "SESSION_REVOKED"
  }
  ```

  ```json 403 Forbidden (not appointment owner) theme={null}
  {
    "success": false,
    "error": "Forbidden"
  }
  ```

  ```json 404 Appointment not found theme={null}
  {
    "success": false,
    "error": "Appointment not found"
  }
  ```

  ```json 404 Notes not found theme={null}
  {
    "success": false,
    "error": "Notes not found"
  }
  ```
</ResponseExample>

## Behavior Notes

* **Two-step lookup**: The endpoint first finds the appointment, then the notes document associated with it.
* **Partial updates**: Only provided fields are updated. Omitting a field — or sending an empty string for `notes`/`summary` — preserves the existing value.
* **Asterisk stripping**: Markdown asterisks are removed from `notes` before storage.
* **Timestamps**: `updatedAt` is set automatically when the notes are saved.

## Status Codes

* **200** — Notes updated successfully.
* **400** — Save failure.
* **401** — Missing, invalid, or revoked authentication token.
* **403** — Authenticated user does not own the appointment.
* **404** — Appointment not found, or no notes exist for the appointment.
