> ## Documentation Index
> Fetch the complete documentation index at: https://api.idunox.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Partner auth probe

> Validate your API key and confirm your credentials are active.

Use this endpoint to validate that your API key is active and resolves to a valid account. Returns `204` when credentials are valid — no body.

| Response           | Meaning                    |
| ------------------ | -------------------------- |
| `204 No Content`   | Credentials are valid      |
| `401 Unauthorized` | Missing or invalid API key |
| `403 Forbidden`    | Account inactive           |

<Note>
  This endpoint returns `204` with no body. Contact `partner@idunox.com` to confirm your Health Yourself account setup.
</Note>

## Example request

```bash theme={null}
curl -H "Authorization: Bearer <your-api-key>" \
     https://api.idunox.com/v1/partner-auth-probe
```


## OpenAPI

````yaml GET /v1/partner-auth-probe
openapi: 3.1.0
info:
  title: IduScore Partner & Platform API
  description: >-
    Partner-facing JSON API for de-identified clinical submissions (canonical
    Type A, not FHIR at ingestion).


    **Authentication:** Send `X-Api-Key: <key>` **or** `Authorization: Bearer
    <key>` on every `/v1/*` request (except preflight `OPTIONS`).


    **Writes (`POST`):** Client MUST send non-empty `x-correlation-id` and
    `Idempotency-Key`. The server does not synthesize these from the request id.


    **Tenant scope:** Credentials resolve to a tenant; all IDs are tenant-scoped
    (cross-tenant access returns `404` where applicable).


    **Request id:** Responses may echo `x-request-id` when the client sent it;
    otherwise the server generates one (see error envelope `requestId`).


    **Partner responses:** Read APIs return **IduScore wellbeing** language only
    — stable `wellbeing.*` outcome ids,

    plain-English labels, and optional `notices[].message` lines (no internal
    warning codes or model identifiers).

    Use **`GET /openapi.yaml`** for request/response examples aligned with this
    contract.



    ---

    **Merged spec (this file):** includes **Platform** and **Diagnostics** paths
    from the service implementation in addition to the **Type A** `/v1` product
    routes. The slimmer `type-a-partner-v1.*` files are the same contract for
    submissions, jobs, and results.
  version: 0.1.0
  license:
    name: Proprietary
servers:
  - url: https://api.idunox.com
    description: Production partner API (documented base URL for examples and playground)
security: []
tags:
  - name: Submissions
    description: Ingestion and submission reads
  - name: Jobs
    description: Processing job status
  - name: Results
    description: Inference / scoring results
  - name: Webhooks
    description: >
      Outbound HTTPS callbacks the platform may POST to a URL you register (not
      paths on the IduScore Partner API;

      `/_reference/...` entries document payload and headers for your
      implementer only).
  - name: Platform
    description: >-
      Liveness, readiness, and OpenAPI document discovery. **No API key**
      required.
  - name: Diagnostics
    description: >-
      Validates the same **partner API key** and (for `POST`) write headers as
      other `/v1` routes. Returns `204` when valid.
paths:
  /v1/partner-auth-probe:
    get:
      tags:
        - Diagnostics
      summary: Validate partner API key (read)
      description: >-
        No body. Returns `204` when `X-Api-Key` or `Authorization: Bearer` is
        valid for a tenant.
      operationId: getPartnerAuthProbe
      parameters:
        - $ref: '#/components/parameters/HeaderRequestIdOptional'
      responses:
        '204':
          description: Valid credentials
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
      security:
        - partnerApiKey: []
        - partnerBearer: []
components:
  parameters:
    HeaderRequestIdOptional:
      name: x-request-id
      in: header
      required: false
      schema:
        type: string
      description: Optional; echoed when possible. Server generates when absent.
  responses:
    Unauthorized:
      description: Missing or invalid API key
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
          example:
            error:
              code: INVALID_API_KEY
              message: Invalid or expired API key
              requestId: 550e8400-e29b-41d4-a716-446655440000
    Forbidden:
      description: >-
        Tenant inactive, `partnerId` mismatch, or submission restricted to
        another credential via `metadata.partnerId`
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  schemas:
    ErrorEnvelope:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
            - requestId
          properties:
            code:
              type: string
              description: Machine-readable error code (e.g. VALIDATION_ERROR, NOT_FOUND).
            message:
              type: string
            requestId:
              type: string
            correlationId:
              type: string
              description: >-
                Present when the request established a correlation id (writes
                always send `x-correlation-id`).
            details:
              description: Optional structured validation or domain hints (shape varies).
      description: Matches `errorEnvelopeSchema` in src/lib/error-envelope.ts
  securitySchemes:
    partnerApiKey:
      type: apiKey
      in: header
      name: X-Api-Key
      description: Plaintext API key issued for the tenant (stored hashed server-side).
    partnerBearer:
      type: http
      scheme: bearer
      bearerFormat: opaque
      description: Same secret as X-Api-Key, sent as a Bearer token.

````