AverCareDocs

Authentication

Sessions, identity, and how clients prove who they are.

AverCare uses session-based authentication. A client signs in once, receives a session, and includes it on subsequent requests. The server resolves the session to a user and scopes every query to that user.

Sign-in methods

✉️

Email & password

The classic flow, with email verification and password reset.

🔵

Google OAuth

One-tap sign-in. Requests offline access so calendar sync can refresh tokens without re-prompting.

Account linking

If you sign up with email/password and later sign in with Google using the same address, the accounts merge automatically rather than creating a duplicate. Your history stays in one place.

Where the session lives

Sessions ride in secure HTTP cookies, set and read by the auth endpoints. The browser sends them automatically on same-origin API calls.

The app stores session cookies in the device's secure storage and attaches them to each request to the web API.

Authorization, briefly

Authentication answers who are you; authorization answers what may you do.

  • Ownership — you can only read and write your own data. Every protected endpoint scopes its queries to the authenticated user.
  • Admin scopes — internal/admin endpoints require specific scopes, checked per request. There is no single "is admin" master key for sensitive actions.

Everything that touches personal health data is scoped to the authenticated user. There is no unauthenticated path to chats, vitals, documents, or profile data.

Developer overview

How to think about the AverCare platform if you're building on or against it.

API conventions

Formats, status codes, errors, validation, and streaming — the rules every endpoint follows.

On this page

Sign-in methodsAccount linkingWhere the session livesAuthorization, briefly