Authentication
Voxtar authenticates every request with a secret API key sent as a Bearer token. Keys are scoped to a single workspace and carry that workspace's data-residency and retention settings.
API keys
Create and rotate keys in the dashboard under Developers → API Keys. Treat a key like a password: it can read patients and submit audio for analysis. Never ship it in client-side code, a mobile bundle, or a public repo — all requests must originate from your server.
Making an authenticated request
Pass the key in the Authorization header:
curl https://api.voxtar.hallelx2.com/v1/patients \-H "Authorization: Bearer $VOXTAR_API_KEY"
The SDKs read VOXTAR_API_KEY from the environment automatically:
import { Voxtar } from "voxtar";const voxtar = new Voxtar({ apiKey: process.env.VOXTAR_API_KEY });
Errors
A missing or invalid key returns 401 Unauthorized; a valid key without access to the requested resource returns 403 Forbidden. Error bodies follow a stable shape:
{"error": {"type": "invalid_api_key","message": "No API key provided. Set an Authorization: Bearer header."}}
Handling PHI
Voxtar is built so you never have to send protected health information. Identify patients with your own pseudonymous external_id; audio is analyzed in memory and discarded, and only derived acoustic features are stored. Configure retention and regional processing per workspace in the dashboard.