We just shipped 14 public endpoints under /api/public/* that power the upcoming HeDesk patient mobile app. The contract is documented end-to-end at backend/PUBLIC_API_CONTRACT.md — here’s the executive summary.
Security stack
- API key gate — every request needs
X-API-Keymatched with constant-time compare. - Patient JWT — 30-day TTL, separate secret from staff JWTs.
- Rate limit — sliding-window token bucket: 10/min auth, 10/min booking, 60/min default.
- Razorpay signature verification — HMAC-SHA256 verified server-side before any booking is created.
- Audit log — every public request lands in
db.audit_logswith IP, UA, event.
What the app can do
- Discover clinics & doctors (filtered by city / specialty).
- Show real-time slot availability for any date.
- Book + pay in a single atomic flow (pay-first, idempotent on order id).
- Show the patient’s own appointments, prescriptions, and invoices across every clinic they’ve visited.
We covered the whole surface with 29 pytest cases. If you’re building on this and have questions, email hello@hedesk.help.