Scopes

API keys are issued with specific scopes that control which endpoints your app can access. Each endpoint requires a specific scope.

Available Scopes

Scope	Description	Endpoints
`read:marketplace`	Access app and organization info	`GET /marketplace/me`
`read:patients`	Read patient records	`GET /patients`, `GET /patients/:id`
`read:appointments`	Read appointment data	`GET /appointments`, `GET /appointments/:id`
`read:providers`	Read provider information	`GET /providers`, `GET /providers/:id`
`read:facilities`	Read facility details	`GET /facilities`, `GET /facilities/:id`
`read:bills`	Read billing data	`GET /bills`, `GET /bills/:id`
`read:claims`	Read claims data	`GET /claims`, `GET /claims/:id`
`read:inventory`	Read inventory changes and stock levels	`GET /inventory/changes`, `GET /inventory/changes/:id`, `GET /inventory/changes/:id/products`, `GET /inventory/stock-levels`
`read:products`	Read product catalog	`GET /inventory/products`, `GET /inventory/products/:id`

How Scopes Work

When a clinic installs your marketplace app, they grant specific scopes based on your app’s requirements. Your API key will only work for endpoints matching those granted scopes. If you call an endpoint without the required scope, you’ll receive a 403 Forbidden response:

{
  "code": "forbidden",
  "message": "Insufficient scope. Required: read:patients",
  "trace_id": "550e8400-e29b-41d4-a716-446655440000"
}

Checking Your Scopes

Use the /marketplace/me endpoint to see which scopes your API key has:

curl -X GET "https://api.maxcare.ai/external/v1/marketplace/me" \
  -H "Authorization: Bearer sk_live_abc123..." \
  -H "X-Organization-Id: org_abc123"

The response includes your app’s granted scopes in the data.app.scopes array.

​Scopes

​Available Scopes

​How Scopes Work

​Checking Your Scopes

Scopes

Available Scopes

How Scopes Work

Checking Your Scopes