Sandwich Docs — MCP, Sandwich Pipe, Sandwich Soft

The Sandwich MCP server exposes a small toolbelt to any AI assistant that speaks the Model Context Protocol. A caregiver mints a key in the Sandwich app, pastes it into Claude Desktop, Cursor, or a custom agent, and the assistant can immediately query their own loved ones and recent care events — scoped to their own workspace, nothing more.

v1 tools:

ping

Smoke test. Returns the verified caller's uid, tenant, and auth method.

get_user_profile

The caller's own uid, email, tenant type, and linked workspace.

list_loved_ones

Loved ones on the caller's family workspace.

list_care_events

Recent care events from Sandwich Pipe, per loved one or aggregated.

Read full docs → Mint a key

What it is

Every email about Helen — discharge summaries, pharmacy refills, cardiology reminders, insurance EOBs, attorney correspondence — lands in one place. Every sibling sees it. Nobody is out of the loop because they weren't the one holding Mom's phone.

Each loved one gets a private, dedicated email address:

Example addresstext

helen-MKR47@inbox.joinsandwich.com

Give that address to Helen's doctor, pharmacy, insurance company, attorney — anyone who sends emails about her care. The whole family sees what arrives, in real time.

How it works

1. Sign up

Create a Sandwich account and add Helen as your loved one. An inbox address is generated instantly — no configuration needed.

2. Helen gets her inbox

Share the address with Helen's providers as a second contact email (Option A) or as her primary provider email with automatic forwarding to her personal inbox (Option B).

3. Tell her providers

Use the built-in provider toolkit: a letter-to-providers PDF, a printable wallet card Helen can hand to intake desks, and a shareable link for staff to learn what Sandwich is.

Address format

The address format is locked: {first_name}-{3 letters}{2 digits}@inbox.joinsandwich.com. The 5-character code is shaped like a zipcode — a mental model every American adult already has — so it's easy to dictate at a hospital intake desk: “helen, dash, M-K-R, four, seven.”

Senior opt-in

Two flows so the senior can participate however makes sense for their situation:

Option A — Add as second email. Helen gives providers this address alongside her personal email. They CC both. She keeps reading her own inbox; the family sees a copy. Best for cognitively healthy seniors who want family in the loop without changing anything.
Option B — Primary with forwarding. Helen tells providers to send everything here. Sandwich auto-forwards each message to her personal Gmail too, so her experience doesn't change — but the family also sees what arrives. The forwarding is invisible to the senior and transparent to the family.

FAQ

Will providers actually accept this?
Yes — because you're asking them to do something they already do. Every EHR scheduling system, pharmacy management system, and patient intake form already has an “alternate contact email” field. You're just filling it with a better value. No new workflow, no new system.

What about HIPAA?
HIPAA's personal-representative doctrine (45 CFR §164.502(g)) gives a designated family member the right to specify a confidential-communications address that providers must use. You're not asking providers for cooperation — you're asking them to honor a right the patient already has. See HHS guidance.

Does the senior have to give up their existing email?
No. Providers can keep sending to Helen's personal email too.

Can I change the inbox address?
Addresses are generated once and preserved indefinitely — providers may have it in their systems for years. If you need a new address (e.g., a compromised address), you can rotate it from settings. The old address forwards for 90 days, then stops. Old messages are always preserved.

Can other family members see the same inbox?
Yes. That's the whole point. Every sibling you invite to your Sandwich workspace sees the same inbox. You can assign roles (owner, coordinator, viewer) and everyone gets a per-sibling read indicator so you always know who has seen what.

What if my mom and aunt have the same first name?
Each loved one gets their own inbox address with a different 5-character code. Two Helens in the same family might have helen-MKR47@… and helen-QPL23@… — distinct addresses, distinct inboxes, no confusion.

What happens to messages — do they get summarized?
Every inbound message gets an AI pass that generates a one-line summary and classifies it into a category (appointment, pharmacy, billing, discharge, etc.). The summary appears in the inbox list view so you can triage at a glance without opening every message.

Zero institutional cooperation required. Every doctor, pharmacy, attorney, and insurer already speaks email. Sandwich Family Inbox is just a better address for the field they already fill in.

What it is

Sandwich Pipe is the private-link layer between care-data producers and Sandwich's family-facing app. Think of it as Plaid for caregiving: agencies, EHRs, and home- health platforms push structured events at Sandwich Pipe, and Sandwich lights up the right loved-one record for the right family in real time.

Why a pipe

Neutral shape. One event schema — institution_id, subject_ref, event_type, payload — lets us onboard any partner without redesigning the app.
Signed and replayable. Every request carries X-SandwichPipe-Signature: sha256=…, computed over the raw body with a per-partner secret. Replays are cheap; forgeries are not.
Fire-and-forget on the partner side. Partners never block their own workflow waiting on Sandwich. If Sandwich Pipe is down, events are queued and retried with exponential backoff.

Event envelope

POST https://api.joinsandwich.com/sandwichpipe/v1/eventsjson

{
  "institution_id": "sandwichsoft-sunrise-home-care",
  "subject_ref":    "client_8c1f",
  "event_type":     "visit_ended",
  "occurred_at":    "2026-04-16T21:04:00Z",
  "payload": {
    "caregiver_id":      "caregiver_maria_r",
    "actual_end":        "2026-04-16T21:04:00Z",
    "duration_minutes":  92
  }
}

Signature

Compute HMAC-SHA256(raw_body, partner_secret) and send the hex digest prefixed with sha256=. Sandwich verifies in constant time and rejects anything older than 5 minutes (clock-skew tolerant).

pseudocodets

const sig = "sha256=" + hmacSha256Hex(secret, rawBody);
headers["X-SandwichPipe-Signature"]   = sig;
headers["X-SandwichPipe-Institution"] = institutionId;
headers["X-SandwichPipe-Timestamp"]   = new Date().toISOString();

Event types (v1)

visit_started

A caregiver clocked in at a client's home.

visit_ended

Clock-out. Includes caregiver ID, end time, and duration.

note_added

A caregiver observation was logged, with raw text or a structured summary.

med_administered

A medication dose was administered. Includes medication name, amount, unit, and administrator.

vital_recorded

A vital sign was recorded — blood pressure, heart rate, glucose, weight, oxygen saturation, or temperature.

Family share is opt-in per client. An agency using Sandwich Soft toggles family share on a client record, which provisions a per-client shared secret and starts forwarding that client's events to Sandwich Pipe. Toggle it off and events stop at the agency boundary.

Becoming a partner

Sandwich Soft agencies get Sandwich Pipe for free — it's wired into clock-in and clock-out. Outside partners (EHRs, hospital discharge systems, other agency platforms) can email hello@joinsandwich.com for a sandbox secret and a signed integration agreement.

What it is

Sandwich Soft is the operating system for home-care agencies. Each agency is a tenant with its own subdomain — sunrise-home-care.soft.joinsandwich.com — and its own admin dashboard, caregiver roster, client list, visit schedule, and message thread.

Who uses it

Agency admins manage clients, caregivers, and schedules from the web dashboard. They own the book of record.
Caregivers open the agency URL on their phone, sign in, and use the mobile portal at /me — pick a shift, clock in, log a note, clock out.
Families don't use Sandwich Soft directly. They use the Sandwich app, and data flows to them through Sandwich Pipe when family share is on.

Data model

Every record is namespaced to a tenant — no cross-tenant reads, ever.

Firestore path shapetext

tenants/{tenant_id}/
  staff/{uid}             # caregivers & admins
  clients/{client_id}     # +family_share_enabled, +secret_hash
  visits/{visit_id}       # scheduled + in-progress + completed
  notes/{note_id}         # observations, vitals, med confirmations
  media/{media_id}        # photos taken during a visit
  messages/{msg_id}       # threads per client

Caregiver portal

Sandwich Soft's /me route is a phone-first webapp. Caregivers see their open shifts, pick one, clock in with a single tap, write a note, attach a photo, and clock out. Each action emits a Sandwich Pipe event if the client has family share on — no extra work for the caregiver.

Family share toggle

toggle in admints

// admin flips family share for a client
await enrollFamilyShare(tenantId, clientId);
// → generates secret, stores sha256 hash on client row,
// → sends secret one-time to admin via secure download

// every clock-out after this call
emitFamilyShareEvent({
  tenantId, clientId,
  eventType: "visit_ended",
  payload: { durationMinutes, noteExcerpt }
});

Why it matters

Families stop calling the agency for updates. They already have them in Sandwich.
Agencies get a differentiator without writing a family app. Sandwich Pipe is the family app.
Sandwich gets first-party, signed, structured care data — the foundation that makes the MCP tools actually useful.

One stack, three audiences. Families use Sandwich. Agencies run on Sandwich Soft. AI assistants speak through the MCP. The pipe is the connective tissue.