Klinivo Coming soon
Developer Guide

Getting Started

Integrate your systems with Klinivo in minutes.

The Klinivo API is in private preview. Endpoints shown here are illustrative and not yet generally available — contact us for early access.

Authentication

All API requests require an API key sent via the X-API-Key header. API keys are scoped to your organization and carry specific permissions.

Generate an API Key

  1. Log in to Klinivo as an Owner or Admin
  2. Navigate to Settings → Integrations → API Keys
  3. Click Create API Key
  4. Select the permissions your integration needs
  5. Copy the key immediately — it will not be shown again

Important: Store your API key securely. Never expose it in client-side code or public repositories.

Your First API Call

Test your API key with the health endpoint:

bash 
curl -H "X-API-Key: kv_your_key_here" \
  https://api.klinivo.co/api/v1/health

A successful response:

json 
{
  "status": "ok",
  "keyPrefix": "kv_abc12345",
  "organizationId": "org-uuid",
  "permissions": [
    "READ_PATIENTS",
    "READ_APPOINTMENTS"
  ]
}

Permissions

API keys use granular permissions. Only request what your integration needs:

Permission Access
READ_PATIENTSList, search, view patients
WRITE_PATIENTSCreate and update patients
READ_APPOINTMENTSList, view appointments and schedules
WRITE_APPOINTMENTSCreate, cancel, confirm, reschedule appointments
READ_PROVIDERSList providers and locations
READ_CONSULTATIONSView SOAP notes and prescriptions
MANAGE_WEBHOOKSCreate and manage webhook subscriptions

Rate Limiting

API requests are rate-limited per key. Check response headers to monitor your usage:

Header Description
X-RateLimit-LimitMax requests per minute
X-RateLimit-RemainingRequests remaining in current window
X-RateLimit-ResetUnix timestamp when window resets

When rate-limited, you will receive a 429 response with a Retry-After header.

Idempotent Requests

For write operations (POST, PATCH), include an Idempotency-Key header to safely retry requests without duplicating actions:

bash 
curl -X POST \
  -H "X-API-Key: kv_your_key_here" \
  -H "Idempotency-Key: unique-request-id-123" \
  -H "Content-Type: application/json" \
  -d '{"patientId": 1, "providerId": 2, ...}' \
  https://api.klinivo.co/api/v1/appointments

Keys expire after 24 hours. Use UUIDs or similar unique identifiers.

Webhooks

Receive real-time notifications when events occur in your organization.

Setup

  1. Navigate to Settings → Integrations → Webhooks
  2. Add your endpoint URL and select the events you want to receive
  3. Copy the signing secret for signature verification

Available Events

Event Trigger
patient.createdNew patient registered
appointment.scheduledAppointment booked
appointment.confirmedAppointment confirmed
appointment.completedConsultation ended
appointment.cancelledAppointment cancelled
appointment.no_showPatient did not arrive
consultation.endedProvider finished consultation
soap_note.createdSOAP note saved
intake.startedPatient started intake form
intake.completedPatient completed intake form

Verifying Signatures

Every webhook delivery includes an X-Klinivo-Signature header in the format t=timestamp,v1=signature. Verify it with HMAC-SHA256:

javascript 
const crypto = require('crypto');

function verifySignature(payload, header, secret) {
  const [tPart, v1Part] = header.split(',');
  const timestamp = tPart.split('=')[1];
  const signature = v1Part.split('=')[1];

  const expected = crypto
    .createHmac('sha256', secret)
    .update(timestamp + '.' + payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
python 
import hmac, hashlib

def verify_signature(payload: bytes, header: str, secret: str) -> bool:
    parts = dict(p.split('=', 1) for p in header.split(','))
    timestamp = parts['t']
    signature = parts['v1']

    expected = hmac.new(
        secret.encode(),
        f"{timestamp}.".encode() + payload,
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(signature, expected)

Retry Policy

Failed deliveries are retried with exponential backoff: 1, 2, 4, 8, and 16 minutes. After 5 failed attempts, the delivery is moved to the dead letter queue. Check delivery status via the webhook management API.

Error Handling

The API returns standard HTTP status codes with JSON error bodies:

json 
{
  "error": "invalid_api_key",
  "message": "Invalid or expired API key"
}
Status Meaning
200Success
201Resource created
204Success, no content
400Invalid request body or parameters
401Invalid or missing API key
403API key lacks required permission
404Resource not found
429Rate limit exceeded

Next Steps

API Reference

Full interactive documentation with try-it-out for all 19 endpoints.

Explore →
Contact Support

Need help? Our team is ready to assist with your integration.

Get in touch →
Coming soon

Join the waitlist

We're putting the finishing touches on Klinivo. Leave your email and we'll let you know the moment it opens — with early access.