This project implements a backend API for managing doctors, patients, and appointments within a medical clinic setting. The system enables CRUD operations. The architecture follows REST principles, utilizing Flask as the web framework, SQLAlchemy for ORM, and Alembic for database migrations. Role-based access control (RBAC) is integrated via Auth0.
The API is hosted on Heroku at:
https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/
In this system, we have implemented a role-based access control (RBAC) mechanism that includes two distinct roles: Admin and Doctor.
-
Admin Role: The Admin has full access to all routes and can perform any actions within the application, ensuring comprehensive management capabilities.
-
Doctor Role: The Doctor role is limited in scope to promote security and data privacy. Specifically, Doctors are granted the following permissions:
- delete:appointments: Allows the Doctor to delete appointments.
- get:appointments-doctor: Enables the Doctor to retrieve their specific appointments.
- get:patients: Grants access to view patient information.
- patch:appointments: Permits the Doctor to update appointment details.
- patch:patients: Allows the Doctor to update patient information.
- post:appointments: Enables the creation of new appointments.
- post:patients: Allows the addition of new patient records.
In order to authenticate and authorize users within the application, JSON Web Tokens (JWT) are used. These tokens contain encoded user information and permissions, allowing secure access to specific routes based on user roles.
For testing purposes, here are two example JWT tokens:
-
Admin Token: This token grants full access to all API routes and functionalities. Below is an example of an Admin token:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5meERVQ0FNdkhyTmRIWHRGLW9aZiJ9.eyJpc3MiOiJodHRwczovL3VkYWNpdHktYWxleGFuZHJlZGducy51cy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NjhlOTYxNzE5ZjlhMDg3MTA3NzAyOGJlIiwiYXVkIjoiZG9jdG9ycy1jcm0iLCJpYXQiOjE3NjM4MzM2MjIsImV4cCI6MTc2MzkyMDAyMiwic2NvcGUiOiIiLCJhenAiOiIwQ1VaenMzY0s5cWJPRVNsbE44TDhvd0J4TXFoeTI2RiIsInBlcm1pc3Npb25zIjpbImRlbGV0ZTphcHBvaW50bWVudHMiLCJkZWxldGU6ZG9jdG9ycyIsImRlbGV0ZTpwYXRpZW50cyIsImdldDphcHBvaW50bWVudHMiLCJnZXQ6YXBwb2ludG1lbnRzLWRvY3RvciIsImdldDpwYXRpZW50cyIsInBhdGNoOmFwcG9pbnRtZW50cyIsInBhdGNoOmRvY3RvcnMiLCJwYXRjaDpwYXRpZW50cyIsInBvc3Q6YXBwb2ludG1lbnRzIiwicG9zdDpkb2N0b3JzIiwicG9zdDpwYXRpZW50cyJdfQ.Fvb1IrZ7lFX56SZawIrdw57HT7QRGib-wQUJT-N5h3O_OVv-armiJ2vU8VJ2KiOcDLW3nLzn2E8d4YqPoKyfdXpzK0S2BW7qilCLgsQ_qaoFFyEk71HXbIasxzeK1EXHFUez7xoBRNKvAMIbUsZWkey9EYtxL4b0NAYlHg67K1txXHrhlIvDljY8PO01uaaNrAgNqWlqsa63p7CYfiim-X3QdcVDQGlS0_zgRTBj4qKR2WmOdVo-7YP5LVLPdNkBl034Die9bnT1pxeHl3zNMA6Yd3Obi8ubwzhqufe3_gj7OIF-JMvrUkdX1kWFOd6qA-Br993f89gbtkl7MQuKEg -
Doctor Token: This token is limited to the permissions assigned to the Doctor role, which provides access to specific routes related to patient management and appointment scheduling. Below is an example of a Doctor token:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5meERVQ0FNdkhyTmRIWHRGLW9aZiJ9.eyJpc3MiOiJodHRwczovL3VkYWNpdHktYWxleGFuZHJlZGducy51cy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NjhmN2M1NWMyMzE4M2IwMWJjOTllMTQ2IiwiYXVkIjoiZG9jdG9ycy1jcm0iLCJpYXQiOjE3NjM4MzM2OTAsImV4cCI6MTc2MzkyMDA5MCwic2NvcGUiOiIiLCJhenAiOiIwQ1VaenMzY0s5cWJPRVNsbE44TDhvd0J4TXFoeTI2RiIsInBlcm1pc3Npb25zIjpbImRlbGV0ZTphcHBvaW50bWVudHMiLCJnZXQ6YXBwb2ludG1lbnRzLWRvY3RvciIsImdldDpwYXRpZW50cyIsInBhdGNoOmFwcG9pbnRtZW50cyIsInBhdGNoOnBhdGllbnRzIiwicG9zdDphcHBvaW50bWVudHMiLCJwb3N0OnBhdGllbnRzIl19.IMl5TDmoo84sSU6owwJ5CN_qXsi-pQr5OiWIOLwLK40LjT_EyYhrKojFTkvIGM_LyCgFyfK_TQzNgF9YS5y1nfDbTbcrSxhjbHjRGgidlaZTiiDjDfXbYdr41vYvucOIGWWD9W3bcKWiegcrHFdjHF9zNj7FBxEASFRY-9bNTYuGdkBrbDtrCituCKaaMWWFhcECEP-_shG3eqUtC_9PjaUeRoq2tu5nbstoXkTRL3eGHPN7tDkw5mXX2SegZzgsKdcuoFS4JTrd0ZmEtLQxUv4Aj7JONFtlNZMWBCguhCwzSwmI9DWt01iRwdAM1g6mpPKGjiRqnHsu8AiMBqIr9A
Errors are returned as JSON objects in the following format:
{
"error": 400,
"message": "bad request"
}
The API will return the following error types when requests fail:
- 400: Bad Request
- 404: Resource Not Found
- 405: Method Not Allowed
- 422: Unprocessable Entity
- 500: Internal Server Error
-
Description: Retrieves a list of all doctors in the system.
-
RBAC Permission: none
-
Sample Request:
curl -X GET https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/doctors
-
Returns:
{ "success": true, "doctors": [ { "id": 1, "name": "Dr. John Doe", "speciality": "Cardiology", "phone": "123-456-7890", "email": "[email protected]" }, // ... more doctors ... ] }
-
Description: Creates a new doctor record in the system. (Admin only)
-
RBAC Permission:
post:doctors -
Request Body:
{ "name": "Dr. Jane Smith", "speciality": "Dermatology", "phone": "321-654-0987", "email": "[email protected]" } -
Sample Request:
curl -X POST https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/doctors \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_token>" \ -d '{ "name": "Dr. Jane Smith", "speciality": "Dermatology", "phone": "321-654-0987", "email": "[email protected]" }'
-
Returns:
{ "success": true, "doctor": { "id": 2, "name": "Dr. Jane Smith", "speciality": "Dermatology", "phone": "321-654-0987", "email": "[email protected]" } }
-
Description: Updates the information of an existing doctor by ID. (Admin only)
-
RBAC Permission:
patch:doctors -
Request Body:
{ "name": "Dr. Jane Smith", "speciality": "Updated Speciality", "phone": "321-654-0987", "email": "[email protected]" } -
Sample Request:
curl -X PATCH https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/doctors/2 \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_token>" \ -d '{ "speciality": "Updated Speciality" }'
-
Returns:
{ "success": true, "doctor": { "id": 2, "name": "Dr. Jane Smith", "speciality": "Updated Speciality", "phone": "321-654-0987", "email": "[email protected]" } }
-
Description: Deletes a doctor record from the system by ID. (Admin only)
-
RBAC Permission:
delete:doctors -
Sample Request:
curl -X DELETE https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/doctors/2 \ -H "Authorization: Bearer <admin_token>" -
Returns:
{ "success": true, "deleted": 2 }
-
Description: Retrieves a list of all patients in the system.
-
RBAC Permission:
get:patients -
Sample Request:
curl -X GET https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/patients \ -H "Authorization: Bearer <admin_or_doctor_token>" -
Returns:
{ "success": true, "patients": [ { "id": 1, "name": "Patient One", "phone": "123-456-7890", "address": "123 Main St, City, State", "medical_history": "No known allergies" }, // ... more patients ... ] }
-
Description: Adds a new patient record to the system.
-
RBAC Permission:
post:patients -
Request Body:
{ "name": "Patient Two", "phone": "321-654-0987", "address": "456 Elm St, City, State", "medical_history": "Allergies to penicillin" } -
Sample Request:
curl -X POST https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/patients \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_or_doctor_token>" \ -d '{ "name": "Patient Two", "phone": "321-654-0987", "address": "456 Elm St, City, State", "medical_history": "Allergies to penicillin" }'
-
Returns:
{ "success": true, "patient": { "id": 2, "name": "Patient Two", "phone": "321-654-0987", "address": "456 Elm St, City, State", "medical_history": "Allergies to penicillin" } }
-
Description: Updates the information of an existing patient by ID.
-
RBAC Permission:
patch:patients -
Request Body:
{ "name": "Updated Patient Name", "phone": "321-654-0987", "address": "789 Oak St, City, State", "medical_history": "Updated medical history" } -
Sample Request:
curl -X PATCH https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/patients/2 \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_or_doctor_token>" \ -d '{ "address": "789 Oak St, City, State" }'
-
Returns:
{ "success": true, "patient": { "id": 2, "name": "Updated Patient Name", "phone": "321-654-0987", "address": "789 Oak St, City, State", "medical_history": "Updated medical history" } }
-
Description: Deletes a patient record from the system by ID. (Admin only)
-
RBAC Permission:
delete:patients -
Sample Request:
curl -X DELETE https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/patients/2 \ -H "Authorization: Bearer <admin_token>" -
Returns:
{ "success": true, "deleted": 2 }
-
Description: Retrieves a list of all appointments in the system. (Admin only)
-
RBAC Permission:
get:appointments -
Sample Request:
curl -X GET https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/appointments \ -H "Authorization: Bearer <admin_token>" -
Returns:
{ "success": true, "appointments": [ { "id": 1, "date": "2025-11-17T14:30:00", "status": "Scheduled", "notes": "First consultation", "doctor_id": 1, "patient_id": 2 }, // ... more appointments ... ] }
-
Description: Retrieves all appointments related to a specific doctor by ID.
-
RBAC Permission:
get:appointments-doctor -
Sample Request:
curl -X GET https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/appointments/doctor/1 \ -H "Authorization: Bearer <admin_or_doctor_token>" -
Returns:
{ "success": true, "appointments": [ { "id": 1, "date": "2025-11-17T14:30:00", "status": "Scheduled", "notes": "First consultation", "doctor_id": 1, "patient_id": 2 }, // ... more appointments for the specified doctor ... ] }
-
Description: Creates a new appointment in the system.
-
RBAC Permission:
post:appointments -
Request Body:
{ "date": "2025-11-17T14:30:00", "status": "Scheduled", "notes": "Consultation notes", "doctor_id": 1, "patient_id": 2 } -
Sample Request:
curl -X POST https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/appointments \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_token>" \ -d '{ "date": "2025-11-17T14:30:00", "status": "Scheduled", "notes": "Consultation notes", "doctor_id": 1, "patient_id": 2 }'
-
Returns:
{ "success": true, "appointment": { "id": 3, "date": "2025-11-17T14:30:00", "status": "Scheduled", "notes": "Consultation notes", "doctor_id": 1, "patient_id": 2 } }
-
Description: Updates the information of an existing appointment by ID.
-
RBAC Permission:
patch:appointments -
Request Body:
{ "date": "2025-11-17T16:00:00", "status": "Confirmed", "notes": "Updated consultation notes" } -
Sample Request:
curl -X PATCH https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/appointments/3 \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <admin_or_doctor_token>" \ -d '{ "status": "Confirmed" }'
-
Returns:
{ "success": true, "appointment": { "id": 3, "date": "2025-11-17T16:00:00", "status": "Confirmed", "notes": "Updated consultation notes", "doctor_id": 1, "patient_id": 2 } }
-
Description: Deletes an appointment from the system by ID.
-
RBAC Permission:
delete:appointments -
Sample Request:
curl -X DELETE https://doctors-crm-app-170292-f7f15f33a13e.herokuapp.com/appointments/3 \ -H "Authorization: Bearer <admin_token>" -
Returns:
{ "success": true, "deleted": 3 }