Mahalo Health API Documentation

The Mahalo Health API uses secure token-based authentication to protect patient data and ensure that only authorized applications can access the API.

Authentication Methods

The simplest way to authenticate with the Mahalo Health API is using a Bearer token. Include your API token in the Authorization header of each request:

curl -X GET "https://api.mahalo.health/v1/app/dashboard" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"

Security Warning

Never share your API token or include it in client-side code. Always make API requests from your server.

Row Level Security (RLS)

The Mahalo Health Platform uses Supabase Row Level Security (RLS) policies to ensure data privacy and security. These policies are enforced at the database level and cannot be bypassed by the API.

Patient Data Access

Patients can only access their own data through policies like:

CREATE POLICY "Patients access their own record"
ON ma_patients USING (auth.uid() = auth_uid);

Admin Data Access

Admins can only access data for patients in programs they are assigned to:

CREATE POLICY "Admins view patients in their programs"
ON ma_patients USING (
  program_id IN (
    SELECT program_id FROM ma_program_assignments
    WHERE admin_id = auth.uid()
  )
);

Rate Limiting

To ensure the stability of our API, we implement rate limiting. The current limits are:

100 requests per minute per API token
10,000 requests per day per API token