Skip to main content
Olira uses two authentication mechanisms depending on the actor making the request.
ActorMethodNotes
Organization adminAPI KeyScoped per organization, created in the Olira Console
Patient / client devicePatient TokenShort-lived JWT minted by your backend, scoped to one patient

API keys

API keys are created in the Olira Console and scoped to your organization. Each key can be assigned specific scopes to limit access to only the endpoints your integration requires. Send your API key as a Bearer token in the Authorization header on every request:
Authorization: Bearer YOUR_OLIRA_API_KEY
API keys are shown only once at creation. Store them in an environment variable or secrets manager, never in source control.

Scopes

Each API key carries one or more scopes that limit what it can do. Assign only the scopes your integration needs.
ScopeDescription
sdk:event-logLog health events via log(), log_batch(), and log_fhir()
api:manage-patientsCreate, read, update, and deactivate patients; manage cohorts
api:org-configRead and update organization platform configuration
sdk:patient-tokenMint patient-scoped JWTs via get_patient_token()
sdk:state-readRead patient state (stable data, event modules, summaries, event logs, events, memories)
sdk:historical-ingestCreate and manage bulk historical data ingestion jobs (SDK, CLI, or REST)
mcp:patient-stateQuery patient state via the MCP Patient State server

Patient tokens

A Patient Token is a short-lived JWT (15 minutes) scoped to a single patient. Use it when a patient device or client-side app needs to call Olira directly (for example, when connecting to the MCP Patient State server from a mobile app). Patients are never issued API keys. Instead, your backend mints a token on their behalf and forwards it. The token is locked to the patient server-side (the recipient cannot access any other patient’s data).
# Your backend (requires sdk:patient-token scope on your API key):
client = OliraClient(api_key="YOUR_API_KEY")
token = client.get_patient_token(patient_id="8a4fde23-...")

# Forward token.access_token to the patient device
# The device authenticates as:
# Authorization: Bearer <token.access_token>
Patient Tokens expire after 15 minutes. Your backend should mint a fresh token on each session (do not cache them long-term).