> ## Documentation Index
> Fetch the complete documentation index at: https://docs.growdental.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Stream a recording (signed-URL target)

> The target of the `302` redirect from `GET /calls/{callId}/recording`.
You normally never construct this URL yourself — follow the redirect.

Auth is the **signed token in the query string** (HMAC-signed,
~15-minute expiry), not the `Authorization` header. Because a signed
link can outlive a kill switch, the issuing key and app are
re-validated on every request: key not revoked, app active, BAA still
signed, and the practice grant (with `recordings:read`) still present.
Revoked or ungranted access returns `401`/`403`/`404` even for an
unexpired token.

On success the audio bytes are streamed through server-side
(`Content-Type: audio/mpeg`, `Cache-Control: private, no-store`) —
the raw storage URL is never exposed. Expired tokens return
`401 token_expired`: request a fresh link via
`GET /calls/{callId}/recording`.




## OpenAPI

````yaml /openapi.yaml get /recordings/stream
openapi: 3.1.0
info:
  title: GrowDental Partner API
  version: '2026-07-04'
  summary: >-
    Programmatic access to GrowDental's voice-AI calling platform for dental
    practices.
  description: >
    The GrowDental Partner API lets platforms and practice-management systems

    integrate with GrowDental's voice-AI calling for dental practices: list the

    practices you have been granted, read call results, fetch recordings,

    trigger outbound calls, and receive signed webhook events.


    **Status: early access.** This specification is the published v1 contract.

    Where the deployed API and this document disagree during early access, the

    discrepancy is a bug — report it and we will reconcile.


    ### Access


    Access is **invite-only**. There is no self-serve signup: partner apps,

    API keys, and practice grants are issued by the GrowDental team. Contact

    [partners@growdental.ai](mailto:partners@growdental.ai) to get started.


    ### Conventions


    - All request and response bodies are JSON; property names are
    **snake_case**
      (`duration_seconds`, `next_cursor`, `enabled_events`).
    - Errors use one envelope everywhere: `{ "error": "<machine_code>",
    "message": "<human text>" }`.

    - Requests referencing practices your app has **not** been granted return
      `404` (never `403`), so practice identifiers cannot be probed.
    - `GET` endpoints never take request bodies; all filters are query
    parameters.

    - Pagination varies by resource: the calls list uses cursor pagination
      (`limit` + `cursor` in, `data` + `next_cursor` out); the call-requests
      list uses `limit` + `offset` with a `pagination` object; the practices
      list is unpaginated.
    - Every `POST` endpoint honors an `Idempotency-Key` header (24-hour replay
    window).

    - Timestamps are ISO 8601 / RFC 3339 UTC strings.


    ### Rate limits


    Per API key: **600 requests/minute** by default; bulk write endpoints

    (call-request creation) have a separate **60 requests/minute** budget.

    Limited requests receive `429 rate_limited` with a `Retry-After` header

    (seconds).


    ### PHI and the BAA gate


    Scopes that expose protected health information (`transcripts:read`,

    `recordings:read`, `intake:write`) are hard-gated in code: they return

    `403 baa_required` until a Business Associate Agreement is on file for

    your app. Webhook payloads are PHI-minimal by design (IDs, outcomes, and

    links); PHI travels only over authenticated API pulls.
  contact:
    name: GrowDental Partnerships
    email: partners@growdental.ai
    url: https://voice.growdental.ai
servers:
  - url: https://voice.growdental.ai/api/partner/v1
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Practices
    description: Practices your partner app has been granted access to.
  - name: Calls
    description: Completed and in-flight calls for granted practices.
  - name: Recordings
    description: Short-lived, signed access to call recordings (PHI — BAA required).
  - name: Call Requests
    description: Trigger outbound voice-AI calls to one or more contacts.
  - name: Webhook Endpoints
    description: Manage the HTTPS endpoints that receive signed event deliveries.
paths:
  /recordings/stream:
    get:
      tags:
        - Recordings
      summary: Stream a recording (signed-URL target)
      description: |
        The target of the `302` redirect from `GET /calls/{callId}/recording`.
        You normally never construct this URL yourself — follow the redirect.

        Auth is the **signed token in the query string** (HMAC-signed,
        ~15-minute expiry), not the `Authorization` header. Because a signed
        link can outlive a kill switch, the issuing key and app are
        re-validated on every request: key not revoked, app active, BAA still
        signed, and the practice grant (with `recordings:read`) still present.
        Revoked or ungranted access returns `401`/`403`/`404` even for an
        unexpired token.

        On success the audio bytes are streamed through server-side
        (`Content-Type: audio/mpeg`, `Cache-Control: private, no-store`) —
        the raw storage URL is never exposed. Expired tokens return
        `401 token_expired`: request a fresh link via
        `GET /calls/{callId}/recording`.
      operationId: streamCallRecording
      parameters:
        - name: token
          in: query
          required: true
          description: Signed recording token issued by `GET /calls/{callId}/recording`.
          schema:
            type: string
      responses:
        '200':
          description: The recording audio.
          content:
            audio/mpeg:
              schema:
                type: string
                format: binary
        '401':
          description: |
            Missing or invalid token (`invalid_token`), expired token
            (`token_expired`), or the issuing API key has been revoked
            (`key_revoked`).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: token_expired
                message: >-
                  This recording link has expired. Request a new one via GET
                  /api/partner/v1/calls/{callId}/recording.
        '403':
          description: |
            The issuing app is suspended (`app_suspended`) or its BAA is no
            longer signed (`baa_required`).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: app_suspended
                message: This partner app is suspended.
        '404':
          description: |
            No recording is available for this call — including when the
            practice grant or `recordings:read` scope has been removed since
            the token was issued (404, never 403).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: not_found
                message: No recording is available for this call.
        '429':
          $ref: '#/components/responses/RateLimited'
        '502':
          description: The recording could not be retrieved from storage — retry.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: recording_unavailable
                message: >-
                  The recording could not be retrieved from storage. Please try
                  again.
      security: []
components:
  schemas:
    Error:
      type: object
      description: The error envelope used by every non-2xx response.
      required:
        - error
        - message
      properties:
        error:
          type: string
          description: Stable machine-readable error code.
          examples:
            - invalid_api_key
            - insufficient_scope
            - baa_required
            - not_found
            - rate_limited
        message:
          type: string
          description: >-
            Human-readable explanation. Do not parse; codes are stable, messages
            are not.
  responses:
    RateLimited:
      description: Rate limit exceeded for this API key. Honor `Retry-After`.
      headers:
        Retry-After:
          $ref: '#/components/headers/RetryAfter'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error: rate_limited
            message: Rate limit exceeded. Retry after 12 seconds.
  headers:
    RetryAfter:
      description: Seconds to wait before retrying.
      schema:
        type: integer
        minimum: 1
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: |
        Partner API key sent as a Bearer token:

        ```
        Authorization: Bearer gd_live_...
        ```

        Keys are issued by the GrowDental team (invite-only), shown **once**
        at creation, and stored server-side only as a SHA-256 hash. Key format:
        `gd_live_` (or `gd_test_`) followed by a 43-character base62 secret
        (~256 bits of entropy). To rotate, request a new key, deploy it, then
        ask us to revoke the old one — both keys work during the overlap.

````