Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/bentlyy/Clinica/llms.txt

Use this file to discover all available pages before exploring further.

Clinica uses a role-based access model to control what each type of user can see and do. Every account has a role field stored in the users table. That role is embedded in the JWT issued at login, and the API enforces permissions on every protected route before a request reaches its handler.

The three roles

RoleValue in DBWho creates the accountPurpose
AdminadminSeeded automatically on startupManages doctors and clinic configuration
DoctordoctorCreated by an admin via POST /api/doctorsManages availability and views appointments
PatientuserSelf-registers via POST /api/auth/registerBooks, views, and cancels appointments
The patient role is stored as user in the database, not patient. This is the default value assigned to all self-registered accounts.

How role enforcement works

Every protected route runs two middlewares in sequence:
  1. authMiddleware — verifies the JWT and attaches the decoded user (including their role) to req.user.
  2. authorizeRoles(...roles) — checks that req.user.role is in the list of allowed roles.
If the token is missing or invalid, the API returns 401 Unauthorized. If the token is valid but the role is insufficient, the API returns 403 Forbidden. 
// Example: admin-only route
router.get('/', authMiddleware, authorizeRoles('admin'), getDoctors);

// Example: doctor-only route
router.get('/me', authMiddleware, authorizeRoles('doctor'), getMyDoctorProfile);

Endpoint access by role

Admin

  • GET /api/doctors — list all doctors
  • POST /api/doctors — create a doctor profile

Doctor

  • GET /api/doctors/me — own profile
  • POST /api/availability — set availability
  • GET /api/availability/me — own schedule
  • DELETE /api/availability/:id — remove a slot
  • GET /api/bookings/doctor — view appointments

Patient (`user`)

  • GET /api/doctors/public — browse doctors (no auth)
  • GET /api/bookings/available-slots — check open slots
  • POST /api/bookings — book an appointment
  • GET /api/bookings/me — view own bookings
  • DELETE /api/bookings/:id — cancel a booking

Next steps

Admin role

Seeding, credentials, and managing doctors

Doctor role

Availability management and appointment access

Patient role

Registration, booking, and cancellation workflow

Build docs developers (and LLMs) love

Get started for freeTalk to us