API authentication and request headers

CitaBox uses JWT bearer tokens for authentication. To access protected endpoints, you first obtain a token by posting credentials to /auth/login, then include that token and a clinic identifier in the headers of every subsequent request. This page explains the login flow, header requirements, token lifecycle, and the /auth/me endpoint for retrieving the current user’s profile. Exchange user credentials for a JWT access token and a list of clinic memberships.

Request body

string

required

The user’s email address.

password

string

required

The user’s password.

Response — LoginResponse

access_token

string

required

JWT bearer token. Include this value in the Authorization header of all authenticated requests.

memberships

ClinicMembershipInfo[]

required

List of clinics the user belongs to. Each entry contains the clinic ID you must pass as x-clinic-id.

Show ClinicMembershipInfo properties

clinic_id

string

UUID of the clinic. Use this as the x-clinic-id header value.

clinic_name

string

Human-readable clinic name.

clinic_slug

string

URL-safe slug for the clinic, used in public booking URLs.

role

string

The user’s role in this clinic. One of SUPER_ADMIN, ADMIN, DOCTOR, or STAFF.

specialty

string | null

Doctor specialty string, or null for non-doctor roles.

curl --request POST \
  --url http://localhost:3001/auth/login \
  --header "Content-Type: application/json" \
  --data '{
    "email": "doctor@clinica.cr",
    "password": "mysecret"
  }'

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "memberships": [
    {
      "clinic_id": "7f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c",
      "clinic_name": "Clínica San Rafael",
      "clinic_slug": "clinica-san-rafael",
      "role": "DOCTOR",
      "specialty": "Medicina General"
    }
  ]
}

Request headers for authenticated endpoints

After login, include both headers on every protected request.

Authorization

string

required

Bearer token obtained from POST /auth/login. Format: Bearer <access_token>.

x-clinic-id

string

required

UUID of the active clinic. Obtained from the memberships[].clinic_id field in the login response.

curl --request GET \
  --url http://localhost:3001/appointments \
  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  --header "x-clinic-id: 7f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c"

GET /auth/me

Returns the authenticated user’s profile and current memberships. Useful for validating a stored token and refreshing membership data.

Response — MeResponse

string

required

UUID of the authenticated user.

first_name

string

required

User’s first name.

last_name

string

required

User’s last name.

string

required

User’s email address.

active_membership

ClinicMembershipInfo | null

required

The membership corresponding to the x-clinic-id header sent with the request, or null if no clinic context was provided.

Show ClinicMembershipInfo properties

clinic_id

string

UUID of the clinic.

clinic_name

string

Human-readable clinic name.

clinic_slug

string

URL-safe clinic slug.

role

string

Role in this clinic: SUPER_ADMIN, ADMIN, DOCTOR, or STAFF.

specialty

string | null

Doctor specialty, or null.

memberships

ClinicMembershipInfo[]

required

All clinics the user belongs to.

curl --request GET \
  --url http://localhost:3001/auth/me \
  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  --header "x-clinic-id: 7f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c"

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "first_name": "Ana",
  "last_name": "Rodríguez",
  "email": "doctor@clinica.cr",
  "active_membership": {
    "clinic_id": "7f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c",
    "clinic_name": "Clínica San Rafael",
    "clinic_slug": "clinica-san-rafael",
    "role": "DOCTOR",
    "specialty": "Medicina General"
  },
  "memberships": [
    {
      "clinic_id": "7f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c",
      "clinic_name": "Clínica San Rafael",
      "clinic_slug": "clinica-san-rafael",
      "role": "DOCTOR",
      "specialty": "Medicina General"
    }
  ]
}

Token lifecycle and 401 handling

Tokens do not have a built-in expiry communicated by the login response. If a token becomes invalid or expires, any API request returns HTTP 401 Unauthorized. The CitaBox client automatically clears the stored access_token and clinic_id from local storage on a 401, forcing the user to log in again.

When you receive a 401 response, discard the stored token immediately and redirect the user to the login flow. Do not retry the original request with the same token.

Public endpoints

The following paths do not require Authorization or x-clinic-id headers. They are intended for unauthenticated patient-facing use.

GET /public/clinics/:slug
GET /booking/services
GET /booking/doctors
GET /booking/available-slots
POST /booking/appointments

See the public booking page for details on these endpoints.

Overview

Endpoints

API authentication and request headers

Request body

Response — LoginResponse

Request headers for authenticated endpoints

GET /auth/me

Response — MeResponse

Token lifecycle and 401 handling

Public endpoints

Build docs developers (and LLMs) love

Overview

Endpoints

Documentation Index

​POST /auth/login

​Request body

​Response — LoginResponse

​Request headers for authenticated endpoints

​GET /auth/me

​Response — MeResponse

​Token lifecycle and 401 handling

​Public endpoints

Build docs developers (and LLMs) love

POST /auth/login

Request body

Response — LoginResponse

Request headers for authenticated endpoints

GET /auth/me

Response — MeResponse

Token lifecycle and 401 handling

Public endpoints