Legal & Consent

Retrieving terms, recording consent, and why it gates the assessment

Because this is a medical product, the API hard-gates the assessment behind recorded legal consent. The token you get from /login can only call the terms endpoints; only after POST /terms succeeds do you receive the upgraded token that can start a consultation. You cannot skip this step, cache your way around it, or accept on the user's behalf without showing them the content.

What your UI must do

  1. After login, call GET /terms and render the returned legal content to the end user — headers, paragraphs, checkbox policies, and footer links.
  2. Require an explicit user action (e.g. ticking the checkboxes / pressing "Agree") before posting acceptance.
  3. Post POST /terms with the exact content_version you displayed and all_policies_accepted: true.
  4. Keep the footer_policies links accessible for the duration of the consultation (they are meant to be rendered persistently, e.g. in a footer).

The content is versioned and partner-specific: legal copy can change without an API release, and your partner account may have customised policies. Never hard-code the legal text or the version — always fetch and display what the API returns.

GET /api/v1/terms

GET /api/v1/terms
x-api-key: <api_key>
Authorization: Bearer <initial access_token>

Response 200:

{
  "content_version": "fc150b6fe1034e458a75376b126b52b2d0832f15",
  "messages": [
    {
      "value": "Before you begin",
      "type": "HEADER",
      "format": "PLAIN_TEXT"
    },
    {
      "value": "By continuing, you agree to Healthily [Terms of Service](https://www.healthily.ai/legal-pages/healthily-assessment-tool-terms-and-conditions) and confirm that you have read [How to use Healthily safely](https://www.healthily.ai/legal-pages/how-to-use-the-healthily-self-assessment-tool-safely).",
      "type": "PARAGRAPH",
      "format": "MARKDOWN"
    }
  ],
  "checkbox_policies": [
    {
      "value": "I’d like Healthily to process my health and activity data to show me possible next steps for my reported symptoms as described in the [Summary](https://www.healthily.ai/legal-pages/summary) and [Privacy Policy](https://www.healthily.ai/legal-pages/healthily-assessment-tool-privacy-policy). ",
      "type": "INPUT_HINT",
      "format": "MARKDOWN"
    }
  ],
  "footer_policies": [
    {
      "value": "[Terms](https://www.healthily.ai/legal-pages/healthily-assessment-tool-terms-and-conditions)",
      "type": "OTHER",
      "format": "MARKDOWN"
    },
    {
      "value": "[Privacy Policy](https://www.healthily.ai/legal-pages/healthily-assessment-tool-privacy-policy)",
      "type": "OTHER",
      "format": "MARKDOWN"
    },
    {
      "value": "[Safe Use](https://www.healthily.ai/legal-pages/how-to-use-the-healthily-self-assessment-tool-safely)",
      "type": "OTHER",
      "format": "MARKDOWN"
    },
    {
      "value": "[About](https://www.healthily.ai/legal-pages/certificates)",
      "type": "OTHER",
      "format": "MARKDOWN"
    }
  ]
}
FieldMeaning
content_versionVersion identifier of this legal content — an internal hash of the delivered terms. Echo it back verbatim when accepting, to prove you retrieved them first.
messagesIntroductory legal copy — headers and paragraphs, in display order.
checkbox_policiesPolicies requiring explicit acknowledgement. Render each with a checkbox (or an equivalent explicit-consent control).
footer_policiesPolicy links to keep visible throughout the consultation experience.

All entries use the standard Message shape (value / type / format) — respect the format (PLAIN_TEXT, MARKDOWN, or HTML) when rendering.

POST /api/v1/terms

POST /api/v1/terms
x-api-key: <api_key>
Authorization: Bearer <initial access_token>
Content-Type: application/json

{
  "content_version": "1.0",
  "all_policies_accepted": true
}

Response 200 — see Authentication:

  • login_response.access_token — the upgraded token; use it for everything that follows.
  • onboarding_response — ready-made age_question, gender_question, and symptoms_question objects (standard Question shape) for rendering your onboarding screen from API-supplied copy and constraints.

Acceptance is recorded server-side (with the version accepted) against the session, satisfying the audit requirement. If the user declines, simply do not proceed — there is no "decline" call; without acceptance the medical endpoints remain inaccessible.

Disclaimers during and after the assessment

Consent at the start is not the only legal surface:

  • The final report includes disclaimer_messages — render them with the report, unmodified (see Reports).
  • Emergency-level outcomes carry explicit instructions (e.g. call emergency services). Do not suppress, reorder, or soften them.