https://docs.novaza.ai/api/Recent content in API Reference on Novaza DocsHugoenhttps://docs.novaza.ai/api/authentication/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/authentication/<h1 id="api-authentication">API Authentication<a class="anchor" href="#api-authentication">#</a></h1> <p>All Novaza API requests must be authenticated with a JWT access token issued by <strong>Novaza SSO</strong> at <code>id.novaza.ai</code>. The token is carried in the <code>Authorization: Bearer &lt;token&gt;</code> header on every request to the Novaza Gateway (<code>api.novaza.ai</code>).</p> <p>Individual products (Office, Desk, Pulse) are served from their own domains and accept access tokens obtained through the same Novaza SSO authorization flow, with a product-scoped audience.</p> <h2 id="overview">Overview<a class="anchor" href="#overview">#</a></h2> <ol> <li>A user signs in at <strong><code>id.novaza.ai</code></strong> (directly or via an OAuth2 authorization redirect from your application).</li> <li>Novaza SSO issues a JWT <strong>access token</strong> (short-lived) and <strong>refresh token</strong> (longer-lived).</li> <li>Your client calls <code>https://api.novaza.ai/...</code> with <code>Authorization: Bearer &lt;access_token&gt;</code>.</li> <li>When the access token expires, exchange the refresh token for a new access token at the SSO token endpoint.</li> </ol> <h2 id="oauth2-authorization-code-flow">OAuth2 Authorization Code Flow<a class="anchor" href="#oauth2-authorization-code-flow">#</a></h2> <p>Use this flow for user-facing third-party applications that act on behalf of a signed-in Novaza user.</p>https://docs.novaza.ai/api/office-api/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/office-api/<h1 id="office-api">Office API<a class="anchor" href="#office-api">#</a></h1> <p>Novaza Office exposes a REST API for programmatic access to namespaces, modules, records, workflows, and pages. The API is served directly by the Office product at <code>https://office.novaza.ai</code> and is <strong>not</strong> proxied through the Novaza Platform Gateway.</p> <h2 id="access-and-authentication">Access and Authentication<a class="anchor" href="#access-and-authentication">#</a></h2> <p>Because the Office API is served by the product directly, it has its own authentication handshake that is separate from the Platform Gateway at <code>api.novaza.ai</code>. Clients must obtain an Office access token before calling Office API endpoints.</p>https://docs.novaza.ai/api/middleware-api/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/middleware-api/<h1 id="platform-gateway-api">Platform Gateway API<a class="anchor" href="#platform-gateway-api">#</a></h1> <p>The Novaza Gateway at <strong><code>api.novaza.ai</code></strong> exposes platform-level endpoints that are shared across products: medical imaging, clinical messaging (HL7), AI services, billing, and workspace administration. All endpoints accept a JWT access token issued by Novaza SSO and apply per-tenant rate limiting.</p> <p>See <a href="https://docs.novaza.ai/api/authentication/">API Authentication</a> for how to obtain a token.</p> <h2 id="base-url">Base URL<a class="anchor" href="#base-url">#</a></h2> <pre tabindex="0"><code>https://api.novaza.ai</code></pre><h2 id="common-headers">Common Headers<a class="anchor" href="#common-headers">#</a></h2> <table> <thead> <tr> <th>Header</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>Authorization: Bearer &lt;jwt&gt;</code></td> <td>Required on all endpoints except <code>/health</code>, <code>/health/ready</code>, and <code>/metrics</code></td> </tr> <tr> <td><code>X-Tenant-ID</code></td> <td>Optional override used on service-to-service calls; the tenant is otherwise resolved from the JWT</td> </tr> <tr> <td><code>X-API-Version</code></td> <td>Returned by the gateway on every response (currently <code>1.0</code>)</td> </tr> <tr> <td><code>X-Request-Id</code></td> <td>Returned by the gateway for log correlation</td> </tr> </tbody> </table> <h2 id="platform-endpoints">Platform Endpoints<a class="anchor" href="#platform-endpoints">#</a></h2> <h3 id="health--metrics-public">Health &amp; Metrics (public)<a class="anchor" href="#health--metrics-public">#</a></h3> <table> <thead> <tr> <th>Method</th> <th>Path</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>GET</code></td> <td><code>/health</code></td> <td>Liveness probe</td> </tr> <tr> <td><code>GET</code></td> <td><code>/health/ready</code></td> <td>Readiness probe (checks downstream services)</td> </tr> <tr> <td><code>GET</code></td> <td><code>/metrics</code></td> <td>Prometheus metrics</td> </tr> </tbody> </table> <h3 id="medical-imaging">Medical Imaging<a class="anchor" href="#medical-imaging">#</a></h3> <p>Requires the <code>medical_imaging</code> add-on on the tenant.</p>https://docs.novaza.ai/api/desk-api/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/desk-api/<h1 id="desk-api">Desk API<a class="anchor" href="#desk-api">#</a></h1> <p>Novaza Desk exposes a REST API for contacts, conversations, messages, and tickets. The API is served by the Desk product directly at <code>https://desk.novaza.ai</code> and is <strong>not</strong> proxied through the Novaza Platform Gateway.</p> <h2 id="access-and-authentication">Access and Authentication<a class="anchor" href="#access-and-authentication">#</a></h2> <p>Because the Desk API is served by the product directly, it has its own authentication handshake that is separate from the Platform Gateway at <code>api.novaza.ai</code>. Clients must obtain a Desk access token before calling Desk API endpoints.</p>https://docs.novaza.ai/api/pulse-api/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/pulse-api/<h1 id="pulse-api">Pulse API<a class="anchor" href="#pulse-api">#</a></h1> <p>Novaza Pulse exposes a REST API for subscribers, lists, templates, campaigns, and transactional email. The API is served by the Pulse product directly at <code>https://pulse.novaza.ai</code> and is <strong>not</strong> proxied through the Novaza Platform Gateway.</p> <h2 id="access-and-authentication">Access and Authentication<a class="anchor" href="#access-and-authentication">#</a></h2> <p>Because the Pulse API is served by the product directly, it has its own authentication handshake that is separate from the Platform Gateway at <code>api.novaza.ai</code>. Clients must obtain a Pulse access token before calling Pulse API endpoints.</p>https://docs.novaza.ai/api/webhooks/Mon, 01 Jan 0001 00:00:00 +0000https://docs.novaza.ai/api/webhooks/<h1 id="webhooks">Webhooks<a class="anchor" href="#webhooks">#</a></h1> <p>Webhooks allow Novaza products to push real-time event notifications to external systems or to the Novaza Middleware. Today, Novaza supports <strong>inbound webhooks</strong> (receiving events into the Novaza Middleware from connected products) and product-scoped outbound event forwarding. A single unified outbound webhook bus with Novaza-branded headers is <strong>planned</strong> and not yet available.</p> <h2 id="inbound-webhooks-available-today">Inbound Webhooks (available today)<a class="anchor" href="#inbound-webhooks-available-today">#</a></h2> <p>The Novaza Middleware exposes dedicated webhook endpoints that accept events from specific Novaza products. These are intended for internal platform integration and are authenticated per source.</p>