Restful API endpoints and differening permissions/abilities

Question

Say I have an app for patients and doctors.

Patients should be able to access their information at `site.com/api/patients/.

Doctors should be able to access information about the patients as well, but would receive different information than the patients.

I can imagine two ways of handling this:

api/patients with logic to split between different permissions

OR

api/patients for patients AND api/doctors/patients for doctors getting information about patients

This seems relatively fine, but then I started thinking about what happens when both a doctor AND a patient can add tasks for a patient.

api/patients/tasks/ for a patient to add a task BUT api/doctors/patients/tasks Which gets pretty bad as far as nesting goes (Where I believe it might be better to limit the depth of my routes)

Is it simply better to have api/patients and check for whether the user is a doctor or a patient or to nest resources? What is the consensus on best practice (if there is one)?

It would be nice to have API endpoints like:

api/tasks/ api/patients api/doctors/

which keeps things simple, and then control permissions/authentication with a token or query string.

Answer 1

Definitely don't do api/doctors/patients, etc.

Should this be two different APIs, one for Doctors and one for Patients? It depends on how much overlap of functionality there is.

In any event, you should already be tracking authentication/authorization information for your users. Otherwise you'll have doctors modifying patients who don't go to them. Use the auth info to determine what values/options are supported for the caller.

I assume you're handling the case where I copy Dr. Bob's token/query string and send my own requests?