MedListIQ uses Bearer API keys . Every request to /v1/* must include one:
Authorization : Bearer ml_test_abc123...
Test vs live keys Prefix Environment Use for ml_test_...Development / sandbox Building your integration, testing against fake data ml_live_...Production Real patient data from your production system
Keys are scoped to a Clerk Organization. Every request is attributed to the org
that minted the key — that’s what drives rate-limit and monthly-cap enforcement.
Creating a key
Sign in to the portal
Go to Dashboard → API Keys
Click Create key , give it a name (e.g. Production 2026)
Copy the key immediately — it’s shown exactly once. Store it in a password
manager or environment variable.
The full key is never retrievable after the creation dialog closes. If you
lose it, revoke it and mint a new one.
Rotating keys Best practice for production: rotate keys quarterly or on any suspected leak.
Create a new key
Deploy the new key to your production environment
Verify traffic is flowing using the new key (check the old key’s Last used
timestamp — should stop updating)
Revoke the old key from the portal
Revocation propagates within ~60 seconds (we cache auth lookups in-process).
Error responses 401 Unauthorized (missing key)
{ "detail" : "missing API key" }
401 Unauthorized (invalid / revoked key)
{ "detail" : "invalid or revoked API key" }
Security notes
Never commit keys to source control. Use environment variables or a secret
manager (Vercel envs, Doppler, 1Password, AWS Secrets Manager, etc).Never expose secret keys to the browser. Our keys are server-side only —
don’t ship them in a bundle or load them client-side.One key per environment is a reasonable minimum; one key per deployed
service is even better (so you can isolate blast radius on a rotation).