> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nevatal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate your API requests with Bearer tokens

# Authentication

All Nevatal API endpoints require authentication via API keys. Your API key identifies your clinic and determines the scope of data you can access.

## Getting your API key

1. Log into your Nevatal dashboard at [app.nevatal.com](https://app.nevatal.com)
2. Navigate to **Settings → API Keys**
3. Click **Create API Key**
4. Select the scopes (permissions) your integration needs
5. Copy and securely store the generated key

<Warning>
  API keys are shown only once at creation time. Store them securely. If you lose a key, revoke it and create a new one.
</Warning>

## Using your API key

Include the API key as a Bearer token in the `Authorization` header of every request:

```bash theme={null}
curl -X GET https://api.nevatal.com/api/v1/patients \
  -H "Authorization: Bearer nvtl_your_api_key_here" \
  -H "Content-Type: application/json"
```

## Scopes

API keys are scoped to specific modules. When creating a key, you select which modules it can access:

| Scope                 | Read | Write | Description                                    |
| --------------------- | ---- | ----- | ---------------------------------------------- |
| `patients`            | ✅    | ✅     | Patient records and demographics               |
| `appointments`        | ✅    | ✅     | Appointment scheduling and management          |
| `billing`             | ✅    | ✅     | Invoices, payments, and credit notes           |
| `emr`                 | ✅    | ✅     | Medical records, prescriptions, clinical notes |
| `clinical-procedures` | ✅    | ✅     | Procedure catalog and management               |
| `locations`           | ✅    | ❌     | Clinic location information                    |

## Key management

### Revoking a key

```bash theme={null}
curl -X DELETE https://api.nevatal.com/api/v1/api-keys/{keyId} \
  -H "Authorization: Bearer nvtl_admin_key"
```

### Listing active keys

```bash theme={null}
curl -X GET https://api.nevatal.com/api/v1/api-keys \
  -H "Authorization: Bearer nvtl_admin_key"
```

## Security best practices

<AccordionGroup>
  <Accordion title="Never expose keys in client-side code">
    API keys should only be used in server-to-server communication. Never include them in frontend JavaScript, mobile apps, or public repositories.
  </Accordion>

  <Accordion title="Use the minimum required scopes">
    Only grant the scopes your integration actually needs. A billing integration doesn't need EMR access.
  </Accordion>

  <Accordion title="Rotate keys regularly">
    Create new keys periodically and revoke old ones. This limits the impact of a compromised key.
  </Accordion>

  <Accordion title="Use environment variables">
    Store API keys in environment variables or a secrets manager, never hardcoded in source files.
  </Accordion>
</AccordionGroup>
