Authentication 🔐

This API support authentication for two different kinds of use cases:

  • Server-to-server - backend systems, admin portals, etc.

  • End User - a patient or clinician most likely on mobile or the web.

Jump down to example authentication patterns

Server-to-server authenticates server-to-server (S2S) API requests using your account's API keys. A request without an API key, or with an expired, or revoked key, will cause the API to return an error.

Every account has separate keys for testing on our sandbox, or for running live in production. The sandbox API is identical to the production API.

The sandbox API is not HIPPA compliant and should NOT be used for PHI.

API Keys

Your API Keys are available on the Dashboard. The API Keys start with a prefix to clearly distinguish their usage.

For accessing the API in the sandbox environment use keys with this format:

  • secret_test_XXXXXXXXXXXXXXX

When you are ready for production or live mode, use keys with this format:

  • secret_live_XXXXXXXXXXXXXXX

Read more about sandbox vs live mode on the API Endpoints page

API Keys are like passwords, keep them safe and NEVER use them in a client-side application.

End User

End users on all platforms (web, mobile, etc) authenticate with the APIs using a sessionToken. This token is a short-lived JSON Web Token (JWT).

Requesting a token is done via the Access Token endpoint.

curl --request GET '' \
--header 'Authorization: Bearer secret_test_XXXXXXXXXXXXXXX'

By default end users lose access to uploaded cards and all associated data when their session token expires. To prevent this pass in a user_id as a query parameter to the /access-token endpoint. The user_id parameter must be unique across your user base, we recommend using an email address or internal uuid identifier.

WARNING: using a non-unique user_id will result in PHI exposure

curl --request GET '' \
--header 'Authorization: Bearer secret_test_XXXXXXXXXXXXXXX'

Server-to-server requests continue to have access to uploaded cards and associated data, even after the end user's session has expired.

Authentication Pattern

The recommended pattern for authenticating end users is to create a authentication endpoint on the customer's backend servers. In the diagram below the endpoint is called /cardscan-session and is responsible for authenticating the end user before requesting a session token from the API.

Below are two overly simplified examples of this workflow for Flask and Express:

import requests
from flask_login import login_required, current_user

def session():
    Generates a token for the logged-in user and returns it.
    url = ""
    params = {
    headers = {
        'Authorization': 'Bearer secret_test_XXXXXXXXXXXXXXX'
    response = requests.request("GET", url, params=params, headers=headers)
    payload = response.json()

    return jsonify(payload)

Once a session has been generated, it can be used to initialize the SDK and UI Components, or used to call the API directly. This allows the end user's browser or mobile device to safely and securely connect with the servers.

private func didTapScanCard(_ sender: UIButton) {


    var request = URLRequest(url: URL(string: "https://{{YOUR_SERVER_BASE_URL}}/cardscan-session")!)
    request.httpMethod = "GET"
    request.setValue("application/json", forHTTPHeaderField: "Accept")
    URLSession.shared.dataTask(with: request) { [weak self] data, response, error in
           ///Extract session from server response
            guard error == nil,
              let data = data,
              let json = try? JSONDecoder().decode([String: String].self, from: data),
            let session = json["session"] else {

            //handle errors calling server. :-(
            print("Error calling server: ", error as Any)
        ///Trigger presentation of CardScannerView with user's session token.
        DispatchQueue.main.async { [weak self] in
            self?.presentCardScanner(userToken: session)

private func presentCardScanner(userToken: String) {
    ///Create CardScannerView with user session token
    let cardScannerViewController = CardScannerViewController(userToken: userToken, live: true)
    cardScannerViewController.present(from: self, animated:true) { result in 

Last updated