SMART on FHIR Registration

SMART Enabled Apps are supported.

SMART client can be registered at. For example https://${Server_Name}/api/fhir_resgistration.php

You can regiseter the app by posting your client name , redirect uri for your client and weather the client will be confidential or public.

There is additional parameter for confidential clients based on their launch. If the clinet wants an EHR launch or App standalone launch.

If the registeration is completed successfully a client_id will be genrated. There will also be a client secret genrated if the client is confidential.

Nth Technologies standard endpoints Use https://${Server_Name}/api/ as base URI.

Note that the default component can be changed to the name of the site when using Nth Technologies's multisite feature.

Example: https://${Server_Name}/api/fhir.php/patient/1 returns a patient resource with id =1

The Bearer token is required for each Nth Technologies API request, and is conveyed using an Authorization header. Note that the Bearer token is the access_token that is obtained in the above Authorization section.

Request:

curl -X GET 'https://${Server_Name}/api/fhir.php/patient/1 \
   'Authorization: Bearer eyJ0b2tlbiI6IjAwNmZ4TWpsNWhsZmNPelZicXBEdEZVUlNPQUY5KzdzR1Jjejc4WGZyeGFjUjY2QlhaaEs4eThkU3cxbTd5VXFBeTVyeEZpck9mVzBQNWc5dUlidERLZ0trUElCME5wRDVtTVk5bE9WaE5DTHF5RnRnT0Q0OHVuaHRvbXZ6OTEyNmZGUmVPUllSYVJORGoyZTkzTDA5OWZSb0ZRVGViTUtWUFd4ZW5cL1piSzhIWFpJZUxsV3VNcUdjQXR5dmlLQXRXNDAiLCJzaXRlX2lkIjoiZGVmYXVsdCIsImFwaSI6Im9lbXIifQ=='

-->

Patient Portal API Documentation

Request:

'Authorization: Bearer eyJ0b2tlbiI6IjAwNmZ4TWpsNWhsZmNPelZicXBEdEZVUlNPQUY5KzdzR1Jjejc4WGZyeGFjUjY2QlhaaEs4eThkU3cxbTd5VXFBeTVyeEZpck9mVzBQNWc5dUlidERLZ0trUElCME5wRDVtTVk5bE9WaE5DTHF5RnRnT0Q0OHVuaHRvbXZ6OTEyNmZGUmVPUllSYVJORGoyZTkzTDA5OWZSb0ZRVGViTUtWUFd4ZW5cL1piSzhIWFpJZUxsV3VNcUdjQXR5dmlLQXRXNDAiLCJzaXRlX2lkIjoiZGVmYXVsdCIsImFwaSI6Im9lbXIifQ=='

Security

Nth Technologies adminstrators / installers should ensure that the API is protected using an end to end encryption protocol such as TLS
Password Grant SHOULD be turned off for any kind of production use as it has a number of security problems
Setting the Admin -> Globals -> OAuth2 App Manual Approval Settings to be 'Manual Approval' prevents any OAuth2 application from accessing the API without manual approval from an administrator. This is the most secure setting. However, in the USA jurisdiction that must comply with CEHRT rules for ONC 2015 Cures Update, patient standalone apps must be approved within 48 hours of a patient requesting access in order to avoid pentalities under the Information Blocking Provisions from ONC. EHR administrators are not allowed to vet a patient's choice of an app as long as the app complies with Nth Technologies's OAuth2 security requirements. If an app requests user/ or system/ scopes, administrators can vet an application and request additional information / security on an app by app basis. Leaving the setting at the default will auto-approve any patient standalone app.