Overview
The MediSync API uses JWT (JSON Web Token) authentication to secure all protected endpoints. The same token authenticates the Dashboard (REST) API and the Speech (WebSocket) API. This guide covers registration, login, and how to use and manage tokens.Authentication flow
There is no refresh-token endpoint. When a token expires, call
POST /api/login again to obtain a new one.Registration
Register a new healthcare-professional account:201 Created):
Fields
Fields
- firstName (required)
- lastName (required)
- email (required, must be unique)
- password (required, minimum 6 characters)
- specialty (required)
- ehr_system_type (required) — EHR system category
- ehr_system_name (required) — specific EHR system name
- title (optional) — medical title (Dr., Prof.)
Password requirements
Password requirements
Minimum 6 characters. No additional complexity rules are enforced, but a strong, unique password is strongly recommended.
Login
Authenticate with your credentials to obtain a JWT token:200 OK):
Login parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Registered email address |
password | string | Yes | Account password (min 6 characters) |
remember | boolean | No | Issue a 7-day token instead of 24 hours (default false) |
twoFactorCode | string | No | TOTP or backup code, for accounts with 2FA enabled |
Two-factor authentication
If an account has 2FA enabled andtwoFactorCode is omitted, login returns 202 Accepted with a challenge — resubmit with the twoFactorCode included.
Login errors
Platform messages are returned in German, and authentication failures use afailed label alongside error.
Using JWT tokens
Include your token in theAuthorization header for all protected endpoints:
Example request
Token structure
MediSync tokens are HS256-signed JWTs that carry your user identity and standardiat/exp claims:
Treat the token as opaque. It may include additional internal claims; do not depend on its internal structure. The server extracts your user id from the token, so no separate
uid parameter is ever required.Authorization
User identification
User identification is handled entirely through the JWT. The server extracts the user id from the token to authenticate the request and scope data access — you never pass a user id explicitly.Data access control
- Doctors can access only their own resources (their appointments, recordings, transcriptions, notes, and documents). Accessing another user’s resource returns
403 Forbidden. - Admin roles have elevated, system-level access (special permissions).
Subscription requirements
Some actions require an active subscription or trial — notably creating appointments and AI note generation. If your trial or subscription has lapsed,POST /api/appointments/add returns 403 with a German message. Check your subscription status in the dashboard.
Error handling
Error responses are JSON, but the shape depends on the layer that produced them:- Auth middleware (missing/invalid/revoked token) uses a
messagefield. - Route handlers (validation, not-found, ownership) use an
errorfield.
The API does not return the invented, English error
code values shown in some older examples (e.g. AUTH_REQUIRED). Branch on the HTTP status code and the presence of message / error / code fields shown above.Token management
Expiration
| Token | Lifetime |
|---|---|
| Standard | 24 hours |
remember: true | 7 days |
Handling expired tokens
When you receive a401:
- Re-authenticate with
POST /api/loginto obtain a new token. - Retry the original request with the new token.
401 with code: "SESSION_REVOKED".
Security best practices
Token storage
- Store tokens securely (encrypted where possible)
- Never expose tokens in URLs or logs
- Clear tokens on logout
Network security
- Always use HTTPS / WSS
- Validate TLS certificates
- Monitor for unusual access patterns
Rate limiting
Login is rate limited to protect against brute-force attempts:| Endpoint | Limit | Window | Key |
|---|---|---|---|
POST /api/login | 10 attempts | 15 minutes | Email address |
RateLimit-* headers (and Retry-After on 429) are returned.
Next steps
API Reference
Explore the Dashboard API endpoints.
Login endpoint
Full reference for the login endpoint.