Authentication
Secure your API requests with industry-standard authentication methods. Pharmako supports API keys, OAuth 2.0, and JWT tokens.
Overview
All API requests to Pharmako require authentication. We support multiple authentication methods to fit your integration needs:
Simple authentication for server-to-server integrations
User-authorized access for third-party applications
Short-lived tokens for enhanced security
API Keys
API keys are the simplest way to authenticate requests. Include your API key in the Authorization header:
curl -X GET "https://api.pharmako.dev/v1/patients" \ -H "Authorization: Bearer pk_live_xxxxxxxxxxxxx" \ -H "Content-Type: application/json"
Keep your API keys secure
Never expose API keys in client-side code or public repositories. Use environment variables to store keys securely.
OAuth 2.0
For applications that need to access data on behalf of users, implement OAuth 2.0 authorization:
Redirect to Authorization URL
https://auth.pharmako.dev/oauth/authorizeUser Grants Permission
User reviews requested scopes and approves access
Exchange Code for Token
POST https://auth.pharmako.dev/oauth/tokenAccess API with Token
Use the access token in the Authorization header
JWT Tokens
JWT tokens provide short-lived access with automatic expiration. Token structure:
{
"sub": "user_123456",
"org": "org_789012",
"scope": ["patients:read", "labs:write"],
"iat": 1699000000,
"exp": 1699003600
}Tokens expire after 1 hour. Use the refresh token to obtain new access tokens.
Scopes & Permissions
Control access with granular scopes:
| Scope | Description |
|---|---|
| patients:read | Read patient records |
| patients:write | Create/update patients |
| labs:read | Read lab results |
| labs:write | Submit lab orders |
| webhooks:manage | Configure webhooks |