Authentication
Authenticate with an API key over Bearer auth, or ride the browser session. Roles decide what you can write.
The API accepts two credentials:
- API keys —
Authorization: Bearer <key>. Use these for integrations, scripts, and the playground on these pages. - Session cookies — set by the SmileLine app after sign-in. The app uses these; your integration should not.
API keys
API keys are managed through the auth endpoints under /auth/api-key/* while signed in. A key acts as the user who created it: same organizations, same role, same permissions.
curl https://api.smileline.io/patients?limit=10 \
-H "Authorization: Bearer $SMILELINE_API_KEY"Treat API keys like passwords. Don't commit them, and revoke keys you no longer use.
Who am I?
GET /auth/me returns the authenticated user, the active organization, and your member role — useful as a connectivity check and to confirm which organization your requests will hit.
{
"user": { "id": "…", "email": "…", "name": "…" },
"session": { "activeOrganizationId": "…" },
"organization": { "id": "…", "name": "…" },
"memberRole": "owner"
}Roles and permissions
Every member of an organization has a role: owner, admin, or member. Reads are open to all members; writes are gated per resource — for example creating patients requires patient:create, archiving a pipeline requires pipeline:delete. A request without the needed permission returns 403 with the standard error envelope.
Endpoints not listed in the sidebar
The generated reference covers the CRM API. A few surfaces live outside it:
| Surface | What it does |
|---|---|
/auth/* | Sign-in/up/out, email verification, password reset, two-factor, API keys, and organization management (create, invite, switch active org) — powered by better-auth. |
GET /user/me, /user/avatar, GET /user/sessions | The authenticated user's profile, avatar upload/stream/remove, and active session list. |
GET /organization/mine, /members, /active, /organization/logo | Your organizations and role, the active org's members, and org logo management. |
GET /today/ws | WebSocket upgrade for live updates (used by the app; cookie-authenticated). |
Public endpoints
Three surfaces require no authentication:
GET /health— liveness check.POST /capture/{token}— public lead intake. The unguessable token in the URL identifies your practice; see Lead capture.POST /webhooks/*— inbound provider webhooks, verified by signature. See Webhooks.
Everything else returns 401 without valid credentials.