Authentication
API keys, the X-API-Key header, key rotation, and organization scoping.
Every request to the Vendor API is authenticated with an API key sent in the X-API-Key header.
curl -s "https://api.vitalview.ai/v1/studies" \
-H "X-API-Key: vv_live_9f2c4e6a8b0d1f3a5c7e9b2d4f6a8c0e2b4d6f8a1c3e5b7d"
Keys
- Keys look like
vv_live_followed by 48 hex characters. - A key is shown exactly once, when it is issued. We store only a hash. If you lose a key, request a new one.
- Keys are scoped to your organization: you can only ever see and access studies your own keys created. There is no way to reach another organization's data with a valid key.
Getting a key
Keys are issued by the VitalView AI team during onboarding. Contact we@vitalview.ai to set up your organization and receive credentials. Multiple active keys per organization are supported, so you can roll keys without downtime:
- Request a second key.
- Deploy it to your integration.
- Ask us to revoke the old key (or revoke it via your account contact).
Security requirements
- Server-side only. Call the API from your backend. The API intentionally has no browser CORS support, so keys are never exposed to front-end code.
- Do not log keys. Treat them like passwords. The
key_prefix(first characters, for examplevv_live_9f2c4e6a) is safe to log for identification. - Presigned upload URLs need no key. The upload URLs returned by
POST /studiesare self-authorizing and expire after one hour. Do not persist them.
Failed authentication
| HTTP | Code | Meaning |
|---|---|---|
| 401 | invalid_api_key | Header missing or key unknown |
| 403 | key_revoked | The key was revoked, request a new one |
Next: Upload DICOM