Authentication and scope model for external applications
External developers authenticate with SMART on FHIR Authorization Code + PKCE. Tokens are validated by the proxy before access is granted to upstream FHIR APIs.
OAuth endpoints
| Example | Value |
|---|---|
| Authorize | /AadSmartOnFhirProxy/authorize |
| Token | /AadSmartOnFhirProxy/token |
| FHIR base | /fhir |
| Discovery | /fhir/metadata |
Concrete hostnames are provided in partner onboarding artifacts.
Core SMART scopes
| Example | Value |
|---|---|
| Baseline | user_impersonation |
| Launch | launch, launch.patient |
| Patient | patient.*.read |
| Extensions | Additional read scopes by approval |
Scope grant is controlled per app registration during onboarding.
Client registration requirements
| Example | Value |
|---|---|
| Application name | Legal or product name shown to members |
| Redirect URIs | All exact callback URIs for your environments |
| Client type | Public (PKCE) or Confidential |
| Support contacts | Security and operational contacts for incident response |
Credentials are issued after application review and approval.
Token troubleshooting checklist
- Confirm token audience matches the requested API resource.
- Confirm requested scopes are approved for your client registration.
- Confirm redirect URI used in auth request exactly matches registration.
- Confirm member context claims are present when patient launch is required.