API Authentication
The Bio Ecko API uses OAuth 2.0 Bearer tokens for authentication. All API requests must include a valid access token in the Authorization header. Tokens are...
2026-02-01 · 4 min
Manual area
API
Coverage
6 sections
Operator notes
2 implementation notes
Overview
The Bio Ecko API uses OAuth 2.0 Bearer tokens for authentication. All API requests must include a valid access token in the Authorization header. Tokens are scoped to specific permissions matching the API user's role.
Obtaining Credentials
To use the API, you need client credentials:
- Navigate to Admin > Settings > API Access.
- Click Create API Client.
- Enter a client name and description (e.g., 'Lab Interface', 'Mobile App').
- Select the API scopes (permissions) this client needs.
- The system generates a Client ID and Client Secret.
- Store the Client Secret securely -- it's shown only once.
Each API client has its own credentials and audit trail.
Token Exchange
Exchange credentials for an access token:
POST /api/v1/auth/token Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET
Response: { "access_token": "eyJhbGciOiJSUz...", "token_type": "Bearer", "expires_in": 3600, "scope": "patients:read appointments:write" }
Tokens expire after 1 hour (configurable). Request a new token when expired.
Using the Token
Include the token in every API request:
GET /api/v1/patients Authorization: Bearer eyJhbGciOiJSUz... Content-Type: application/json
If the token is expired or invalid, the API returns 401 Unauthorized.
Scopes
API scopes control what the client can access:
- patients:read / patients:write -- Patient demographics.
- appointments:read / appointments:write -- Appointment scheduling.
- billing:read / billing:write -- Invoice and payment data.
- lab:read / lab:write -- Lab orders and results.
- pharmacy:read / pharmacy:write -- Dispensing and stock.
- emr:read -- Clinical records (read-only for integration partners).
Assign the minimum scopes needed for the integration's purpose.
Security Best Practices
- Store Client Secrets in environment variables, never in code.
- Use HTTPS for all API calls.
- Rotate Client Secrets periodically.
- Monitor API usage in the audit log.
- Revoke credentials immediately if compromised.
- Use IP whitelisting for production API clients.
- Set rate limits per client to prevent abuse.
Notes
Warning
Never expose your Client Secret in client-side code (browser or mobile app). Use a server-side proxy for API calls from client applications.
Tip
Create separate API clients for each integration (lab, mobile app, BI tool). This allows independent credential management and granular audit trails.
Related topics
Patients API
The Patients API provides CRUD operations for patient demographics, search, and medical record access. Use this API to integrate external systems (mobile apps...
Appointments
The Appointments module manages your clinic's schedule. You can book appointments for registered patients, view your daily/weekly calendar, manage time slots...
Lab Orders
Lab Orders are created by doctors during OPD consultations or from the standalone Lab Orders page. Each order specifies the tests required, urgency, and...
Pharmacy
The Pharmacy module manages medicine dispensing, inventory, and point-of-sale for clinics with an in-house pharmacy. It connects directly to prescriptions ...
Billing
The Billing module supports billing review, charge capture, and financial workflows. For [Solo Doctor & Small Clinic](/solo-doctor-small-clinic), the safe...
General Surgery Module
The General Surgery module supports surgical case documentation, wound management, and OT (operation theatre) workflow integration. It provides structured...
Patients API
The Patients API provides CRUD operations for patient demographics, search, and medical record access. Use this API to integrate external systems (mobile apps...