SmileLineDocs

Authentication

Authenticate with an API key over Bearer auth, or ride the browser session. Roles decide what you can write.

The API accepts two credentials:

  • API keysAuthorization: Bearer <key>. Use these for integrations, scripts, and the playground on these pages.
  • Session cookies — set by the SmileLine app after sign-in. The app uses these; your integration should not.

API keys

API keys are managed through the auth endpoints under /auth/api-key/* while signed in. A key acts as the user who created it: same organizations, same role, same permissions.

curl https://api.smileline.io/patients?limit=10 \
  -H "Authorization: Bearer $SMILELINE_API_KEY"

Treat API keys like passwords. Don't commit them, and revoke keys you no longer use.

Who am I?

GET /auth/me returns the authenticated user, the active organization, and your member role — useful as a connectivity check and to confirm which organization your requests will hit.

{
	"user": { "id": "…", "email": "…", "name": "…" },
	"session": { "activeOrganizationId": "…" },
	"organization": { "id": "…", "name": "…" },
	"memberRole": "owner"
}

Roles and permissions

Every member of an organization has a role: owner, admin, or member. Reads are open to all members; writes are gated per resource — for example creating patients requires patient:create, archiving a pipeline requires pipeline:delete. A request without the needed permission returns 403 with the standard error envelope.

Endpoints not listed in the sidebar

The generated reference covers the CRM API. A few surfaces live outside it:

SurfaceWhat it does
/auth/*Sign-in/up/out, email verification, password reset, two-factor, API keys, and organization management (create, invite, switch active org) — powered by better-auth.
GET /user/me, /user/avatar, GET /user/sessionsThe authenticated user's profile, avatar upload/stream/remove, and active session list.
GET /organization/mine, /members, /active, /organization/logoYour organizations and role, the active org's members, and org logo management.
GET /today/wsWebSocket upgrade for live updates (used by the app; cookie-authenticated).

Public endpoints

Three surfaces require no authentication:

  • GET /health — liveness check.
  • POST /capture/{token} — public lead intake. The unguessable token in the URL identifies your practice; see Lead capture.
  • POST /webhooks/* — inbound provider webhooks, verified by signature. See Webhooks.

Everything else returns 401 without valid credentials.

On this page