Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rxscale.com/llms.txt

Use this file to discover all available pages before exploring further.

Permissions

Every RxScale API key carries a set of permissions that control which endpoints the key can access. This page provides a complete reference of all available permissions, grouped by API.

How Permissions Work

When you create an API key, you assign it one or more permissions. Each API endpoint requires a specific permission — if the key lacks that permission, the request returns 403 Permission Denied. 
# A key with only `orders_read` can list orders...
curl -X GET "https://api.rxscale.com/v1/external-pharmacy-api-v1/pharmacy_orders/" \
  -H "X-API-Key: your-api-key-here"

# ...but cannot update order status (requires `orders_write`)
curl -X PATCH "https://api.rxscale.com/v1/external-pharmacy-api-v1/pharmacy_orders/{uid}/status" \
  -H "X-API-Key: your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{"status": "in-progress"}'
# Returns 403: Permission denied
Permissions are set during API key creation. Contact your RxScale account manager to add or change permissions on an existing key.

External Pharmacy API

The External Pharmacy API uses pharmacy-specific API keys. Permissions are simple string identifiers checked at runtime.
PermissionTypeEndpoints
orders_readReadGET /pharmacy_orders/ — List pharmacy orders
GET /pharmacy_orders/{uid} — Get order details
orders_writeWritePATCH /pharmacy_orders/{uid}/status — Update order status
PATCH /pharmacy_orders/{uid}/complete_order — Complete order
stock_readReadGET /pharmacy_skus/ — List pharmacy SKUs
stock_writeWritePATCH /pharmacy_skus/{uid}/stock — Update stock level
pharmacy_sku_writeWritePATCH /pharmacy_skus/{uid} — Update SKU (price, stock, external_id)
PATCH /pharmacy_skus/{uid}/stock — Update stock level
PATCH /pharmacy_skus/{uid}/external_id — Update external ID
webhooks_readReadGET /webhooks/ — List webhook subscriptions
webhooks_writeWritePOST /webhooks/ — Register a webhook
DELETE /webhooks/{uid} — Remove a webhook
The PATCH /pharmacy_skus/{uid}/stock endpoint accepts either stock_write or pharmacy_sku_write. If your key has either permission, the request succeeds. All other SKU write endpoints require pharmacy_sku_write specifically.

Management API

The Management API uses organisation-scoped API keys. Permissions follow a resource:action naming convention and are enforced via the @require_api_key_permission decorator.
PermissionTypeEndpoints
order:readReadGET /orders/{uid} — Get order details
prescription:readReadGET /prescriptions/{uid} — Get prescription details
Unlocks prescription data within order responses (when combined with order:read)
prescription:external_signWritePOST /prescriptions/{uid}/render — Trigger asynchronous PDF rendering
POST /prescriptions/{uid}/external-sign — Mark a prescription as EXTERNALLY_SIGNED and dispatch to pharmacy
product:readReadGET /products/ — List products with connected SKU and shop data
doctor:readReadGET /doctors/ — List doctors
doctor_statistics:readReadGET /doctors/{uid}/statistics — Get prescription statistics for a doctor
patient:readReadGET /patients/?email={email} — Look up a patient by email
GET /patients/{uid} — Get patient details
GET /patients/{uid}/intent/{intent} — Get intent return code
waiting_room:readReadGET /waiting-room/{uid}/status — Get queue entry status
waiting_room:writeWritePOST /waiting-room/register — Register a patient in the waiting room
DELETE /waiting-room/{uid} — Cancel a queue registration
wallet_pass_template:readReadGET /wallet-passes/templates — List wallet pass templates
wallet_pass:readReadGET /wallet-passes/ — List wallet passes
wallet_pass_push_notification:writeWritePOST /wallet-passes/push-notifications — Send push notifications
When an API key has order:read but not prescription:read, order responses will have their prescription data stripped. Add prescription:read to include full prescription details within order data.

Notification Subscriptions

The notification subscription endpoints (/notification-subscriptions/) on the Management API do not require a specific granular permission — any valid Management API key can access them.
EndpointMethodDescription
/notification-subscriptions/GETList webhook subscriptions
/notification-subscriptions/POSTCreate a webhook subscription
/notification-subscriptions/DELETERemove a webhook subscription
/notification-subscriptions/testPOSTSend a test webhook

Public API

The Public API uses organisation-scoped API keys (with optional legacy X-RxScale-Authorization header support). It is designed for telemedicine providers to query products and create checkouts.
PermissionTypeEndpoints
product:readReadGET /products/{shop_identifier} — List products for a shop
order:readReadGET /orders/{shop_identifier} — Query order status by prescription UIDs
create_prescription_checkoutWritePOST /prescriptions/{shop_identifier} — Create a prescription-based checkout
create_treatment_checkoutWritePOST /treatments/{shop_identifier} — Create a treatment-based checkout
The product:read and order:read permissions are shared between the Management API and the Public API. If a key has product:read, it can use both GET /products/ on the Management API and GET /products/{shop_identifier} on the Public API (assuming the key is valid for both).

Choosing the Right Permissions

Follow the principle of least privilege — only grant the permissions your integration actually needs.

Common Scenarios

Integration Use CaseRecommended Permissions
Pharmacy order management systemorders_read, orders_write
Pharmacy stock syncstock_read, pharmacy_sku_write
Pharmacy order + stock managementorders_read, orders_write, stock_read, pharmacy_sku_write
Pharmacy with webhook notificationsAdd webhooks_read, webhooks_write to any of the above
Telemedicine provider checkout flowproduct:read, create_prescription_checkout
Telemedicine provider with order trackingproduct:read, create_prescription_checkout, order:read
Organisation analytics dashboardorder:read, prescription:read, doctor:read, doctor_statistics:read, patient:read
Waiting room integrationwaiting_room:read, waiting_room:write, patient:read
Wallet pass managementwallet_pass_template:read, wallet_pass:read, wallet_pass_push_notification:write

Tips

  • Separate read and write — If your integration only needs to display data, request only read permissions.
  • Use dedicated keys — Create separate API keys for different systems or environments rather than sharing a single key with all permissions.
  • Audit regularly — Review your API keys periodically and revoke any that are no longer in use.
  • External Pharmacy API vs. Management API — Pharmacy-specific integrations should use the External Pharmacy API with pharmacy API keys. Organisation-wide integrations should use the Management API with management API keys.