Viewing as
DOORCTA · FOR PATIENTS

Tell us what hurts. Talk to a doctor in under 30 seconds.

Type your symptoms. Doorcta's AI triages the urgency, the matcher finds you a verified doctor in under 30 seconds, the consult runs over secure video, and the prescription lands in your OneHealth record. One credit per consult. Hold released if anything goes wrong.

Get matchedHow it works
As a patient, Doorcta gives you a one-screen intake, a triage layer that escalates a true emergency before it asks for more details, a verified doctor in under 30 seconds, and a record of the consult that lives in OneHealth so it follows you across every Fastclinic product. One credit per consult on the FastCredits ledger; the hold releases automatically if the match fails or you cancel.
01 / 07

1 · Tell us what hurts

The intake screen asks four things — symptoms, body area, duration, severity — and that's it. The screen also tells you the promise up front: matched in under 30 seconds. The triage agent will read what you write and decide urgency before the matcher even starts; you do not need to pick a specialty, you do not need to know what kind of doctor you need, and you do not need to fill out a 12-page form. The deeper architectural decision is that the Doorcta intake captures only the fields the triage agent uses, because every field that's not used is a data-protection cost without a clinical benefit.

10:42MTN5G
Tell us what hurts
Matched in under 30 seconds
Find a doctor
AI triage · routed to a licensed doctor
02 / 07

2 · AI triages your intake

The triage agent reads your symptoms and classifies urgency on a three-level scale — routine, urgent, emergency — plus a suggested specialty (cardiology, family medicine, paediatrics, internal medicine). It runs on Opus because triage is the load-bearing call of the whole flow; getting urgency wrong is more costly than getting routing wrong. The triage invariant is one-way — urgency can only be increased, never decreased — and a deterministic red-flag pre-check runs before the LLM. If you write 'chest pain' or 'shortness of breath', the pre-check forces an emergency escalation regardless of what the model says.

10:42MTN5G
Doorcta · Triage
Reading your symptoms · ~2s
  • Red flag scan · deterministicDone
  • Specialty routing · deterministicDone
  • Urgency classification · OpusLive
  • Output validation · schemaWait
Triage by AI · routed to a licensed doctor · no diagnosis
03 / 07

3 · Red-flag detected → 112

If the triage layer or the red-flag pre-check flags an emergency, Doorcta surfaces Nigeria's national emergency number (112, NEMSAS-routed) before the consult flow continues. The screen names the matched keywords so you know why we escalated, and offers both paths in parallel — call 112 right now AND continue with a Doorcta consult — because escalation is not a block. The architectural decision is that an emergency-flagged user should not have the consult flow taken away; both can run. The deterministic pre-check is what makes this safe — the AI cannot down-rank an emergency the keywords already caught.

10:42MTN5G
Emergency detected
Doorcta picked up a red flag in your symptoms.
Chest pain
Call 112 now
112 is Nigeria's national emergency line · NEMSAS-routed
Continue with Doorcta consult
Escalation, not block · you can do both
04 / 07

4 · Matching · under 30 seconds

The matcher pulls every doctor who is online, verified, and below their maxConcurrent ceiling, then scores each one against five weighted factors — specialty match, urgency-to-emergency-certified alignment, recency-weighted rating, response rate, current load. The screen shows you progress in real time: the count of considered candidates, the elapsed milliseconds, the current state (searching, scoring, awaiting doctor response). The under-30-seconds promise comes from this layer; the websocket pushes every state transition so you do not poll.

10:42MTN5G
Doorcta · Matching
00:18
Matching
12 doctors considered
  • Specialty · Cardiology
  • Location · Lagos
  • Language · Hausa-speaking
Average match time · under 30s
05 / 07

5 · Doctor matched · 8 seconds to confirm

The match-found screen names the doctor, their specialty and their hospital, the recency-weighted rating, and the count of consults they have completed. It shows the five scoring factors as small pills so you can see why this doctor was chosen. You have a 10-second confirm window — the patient confirm timer (PATIENT_CONFIRM_TIMEOUT_MS = 10_000) — to either confirm or pick another. If you confirm, the consult starts; if you pick another, the matcher releases this doctor's claim and starts the next attempt against the next-ranked candidate, up to the 10-attempt reassignment ceiling.

10:42MTN5G
Doctor matched · 8.7s left to confirm
Dr. Adesina Bello
Cardiology · LUTH Lagos
4.9 · 1,240 consults
Specialty 1.0Urgency 0.9Rating 0.98Response 0.95Load 0.4
Confirm · 8s
Find another
Scored algorithmically · re-ranked by AI
06 / 07

6 · The consult — incoming call

The consult opens with an incoming call screen. The doctor is named, the specialty is named, the consult ID is shown, and the call rings. The hold against your FastCredits account is already in place — the credits moved from your balance into your held column the moment the matcher started. If the call drops or anything fails before the doctor answers, the hold releases and the credits return to your balance. Pickup transitions to the live consult.

10:42MTN5G
Incoming consult
Dr. Adesina Bello
Cardiology · LUTH Lagos
Decline
Accept
End-to-end encrypted · NDPA 2023 compliant
07 / 07

7 · Live consult · video over Daily

The live consult runs over Daily.co — a regulated video provider with end-to-end encryption, in a Nigerian-region. You see the doctor; the doctor sees you. The control bar offers mute, camera off, and an end-consult button that the doctor can also fire from their side. The realtime layer is the same websocket that delivered the match event; chat messages flow alongside the video. Below the consult area the screen reminds you that the call is end-to-end encrypted and NDPA 2023 compliant — the regulatory frame is named, not implied.

10:42MTN5G
Doctor · Live00:04:12
Mute
Camera off
End consult
End-to-end encrypted · NDPA 2023 compliant
What you get

Verified doctor in under 30 seconds

The matcher only considers doctors who are online, MDCN-verified, identity-checked, and below their concurrency ceiling. The 15-second response timer plus the 10-attempt reassignment ceiling caps the worst case at minutes; the 5-factor scorer plus the websocket layer makes the typical case under 30 seconds.

Triage that escalates before it asks

A deterministic red-flag pre-check runs before the AI; the AI is one-way (urgency can only increase). A true emergency is escalated to 112 before the consult flow continues, but the consult flow remains available because escalation is not a block.

One credit per consult, deterministic

1 credit equals 1 naira on the FastCredits ledger; the consult cost is fixed at 1 credit. The hold is placed at match start and released automatically if the match fails or you cancel. The reference grammar is consultation:<id>, so retries never double-debit.

Notes that follow you in OneHealth

Consult notes and prescriptions land in OneHealth, not in Doorcta. They are envelope-encrypted, audit-chained, and retrievable through OneHealth's patient surface — so the record is yours and stays consistent across every Fastclinic product that touches it.

Capabilities

AI base
  • Triage agent on Opus · single-shot classifier
  • Deterministic red-flag pre-check · runs before LLM
  • Triage invariant · urgency only increases
  • All AI calls audit-logged · input/output/tools/guardrails
  • Healthcare guardrails non-negotiable · no diagnosis, no Rx
  • Single import boundary · ai/base.ts is the only call site
Match state machine
  • DOCTOR_RESPONSE_TIMEOUT_MS = 15s · accept/decline window
  • PATIENT_CONFIRM_TIMEOUT_MS = 10s · confirm window
  • MAX_REASSIGNMENT_ATTEMPTS = 10 · ceiling on retries
  • Doctor pool gate · online + verified + capacity
  • Atomic claim · Redis SETNX with 20s TTL
  • 5-factor scorer · BASE_WEIGHTS tunable without redeploy
Cost & credits
  • CONSULTATION_COST = 1 credit · 1 credit = 1 naira
  • Hold at match start · capture at consult end
  • Release on cancel · release on match failure
  • Reference grammar · consultation:<id>
  • Idempotent retries · UNIQUE(account_id, reference)
  • Doubly-delivered webhooks converge on one debit
Records & PHI
  • Notes flow to OneHealth · POST /v1/records
  • Doorcta keeps no PHI · only the OneHealth record ID
  • Envelope encryption · per-record DEK + UUIDv5 AAD
  • Audit-chained on write · 7-year retention
  • Patient retrieves through OneHealth · single product surface
  • Provenance-tagged on prescription · MDCN signature
Realtime & video
  • Websocket gateway · per-app channel
  • Match events push · no polling
  • Daily.co video · per-session rooms + tokens
  • End-to-end encryption · regulated video provider
  • Chat over the same socket as match events
  • Connection-quality telemetry · admin throughput surface
Verification & compliance
  • MDCN registration verified · mdcn.gov.ng
  • Didit identity check · ID document + face match
  • Selfie liveness · prevent stolen-photo onboarding
  • Re-verify quarterly · suspend on registry change
  • NDPA 2023 compliant · controller Fastclinic Limited
  • African data residency · single Nigerian region

Integrations

Fastclinic
FastLogin

FastLogin is identity. Patient app and Doctor app are OAuth2/OIDC clients of FastLogin (the doorcta-mobile authorization-code-with-PKCE client) and the Doorcta server-to-server callers use the doorcta-server client_credentials grant. Tokens are 15-minute access plus 24-hour refresh with rotation; JWKS is cached for 5 minutes with a singleflight group on unknown-kid lookup. Doctor onboarding routes through FastLogin's KYC handoff (Didit identity-document verification + selfie liveness) before the doctor can flip to verificationStatus=active in the doctor pool. The middleware classifies tokens by client_id because Hydra 2.x stamps sub=client_id on client_credentials tokens.

Fastclinic
FastCredits

FastCredits is the credit ledger. Doorcta calls POST /v1/accounts/:id/hold at match start with the deterministic reference consultation:<id>, captures through POST /v1/holds/:id/capture at consult end, and releases through POST /v1/holds/:id/release on cancel or match failure. CONSULTATION_COST is 1 credit. The single-writer 409-is-success invariant applies: a 409 from a retry is a confirmation that the prior call succeeded and the response was lost, not an error to surface to the patient. The duration_seconds parameter is now honoured (post-OH-09 fix); Doorcta passes the consult's expected lifetime so the hold does not silently default to 10 minutes.

Fastclinic
OneHealth

OneHealth is the record store. Doctor consult notes and any prescription land via POST /v1/records — envelope-encrypted with a per-record DEK, AAD bound to a UUIDv5 derived from the record ID, audit-chained on write. Doorcta stores only the OneHealth record ID locally for the link-back; the body is OneHealth's. The architectural decision is that PHI lives in one product so a patient can retrieve it through one surface. The same record API is used by the doctor's prescription pad — a Sign + send to OneHealth call writes the prescription as a Provenance-tagged record bound to the consult.

External
Daily.co

Daily.co is the video provider. Each consult provisions a per-session room and a per-participant token through doorcta/server/src/video/daily.ts; the rooms are end-to-end encrypted; tokens expire with the consult. The architectural decision is to use a regulated video provider with E2E encryption rather than build a media server — Daily handles SFU, NAT traversal, codec negotiation, and the regulated-region routing that lets us keep the media path inside Africa. The Daily API call is the only routine cross-border edge in the Doorcta data flow; it carries metadata, never PHI.

Compliance & safety

NDPA 2023 — controller Fastclinic Limited (RC 1919428)

Doorcta processes the personal-data fields it needs to operate the consult — the FastLogin user identifier, the chat transcripts, the call metadata, the rating and free-text feedback — under NDPA 2023 §25 lawful bases. The data controller is Fastclinic Limited, RC 1919428, registered in Lagos. The data-processing record is updated alongside every release that touches a new dataset or a new processor. We do not claim NDPC processor registration; that filing is in progress. Clinical content (consult notes, prescriptions) is held by OneHealth under the same controller, not by Doorcta — the architectural separation matches the legal separation.

NDPA 2023
MDCN registration — verified before live pool

Doctors do not self-onboard into the live pool. The onboarding flow uploads the MDCN (Medical and Dental Council of Nigeria) registration number plus a government ID and a selfie liveness; the admin panel runs the manual checks against the MDCN public registry; only when the doctor's verificationStatus flips to active can they go online. Re-verification runs quarterly; suspension on registry-status change is enforced. The pool query gates on both isOnline=true and verificationStatus=active, so the matcher only ever surfaces a verified clinician.

MDCN public registry
Healthcare guardrails — no diagnosis, no prescription from AI

The AI base is a triage and red-flag-detection layer. It does not diagnose; it does not prescribe. Every agent registered in doorcta/server/src/ai/agents/ declares which guardrails apply to it, and the healthcare guardrails (no diagnosis, no prescription) are non-negotiable. Diagnosis and prescribing happen exclusively in the doctor's app, signed by an MDCN-licenced clinician. The deterministic red-flag pre-check runs before the LLM and forces an emergency escalation on a small set of keywords regardless of what the model says, so the AI cannot down-rank a true emergency.

Source — doorcta CLAUDE.md AI base
African data residency — single Nigerian region

Postgres, Redis, and the Daily.co video region all run in or close to a Nigerian-region AWS account that the Fastclinic Limited data controller operates. The chat messages live in the Doorcta database for the consult lifetime; clinical data flows to OneHealth at consult end. Cross-border transfer is limited to specifically-named processors under signed agreements (Daily.co for video media, Paystack for the FastCredits cash on-ramp). The architectural decision is a single residency posture across the ecosystem: the patient's data does not jump regions when they switch from the Doorcta app to OneHealth or to FastCredits.

Master spec — residency policy
Audit posture — every AI call, every match, every consult

Every AI base interaction is audit-logged: input, output, tool calls, guardrail flags, token usage. Every match-state transition is audit-logged through the state machine. Every consult is bracketed by startConsultation and endConsultation events with timestamps, doctorId, patientId, and the FastCredits hold reference. Doorcta itself does not hold PHI; the consult notes and any prescription audit-chain against OneHealth's hash-chained log on POST /v1/records. The 7-year retention applies to the OneHealth audit chain, which is where the clinical record of every consult is anchored.

OneHealth audit posture

Plain answers

Tell us what hurts. We'll match you.

One credit per consult. Verified doctor in under 30 seconds. Notes follow you in OneHealth. Hold releases automatically if the match fails or you cancel. Get a FastLogin account and the Doorcta app is one of the products it unlocks.

Get matchedRead the docs