Overview – Authorization & Security Standards

Edvak EHR secures access to its FHIR API endpoints through an OAuth 2.0-compliant authorization server, implementing the SMART on FHIR authorization framework. Applications interacting with FHIR resources must supply a Bearer token in each API request’s Authorization header.

Registered developers receive OAuth client credentials which are used to obtain access tokens from Edvak EHR's authorization server.

Technical Standards Followed

OAuth 2.0 (RFC 6749)

OpenID Connect

SMART App Launch Framework v2.0.0

Supported OAuth Authorization Models

Two-Legged OAuth (Client Credentials Flow)

Designed for backend services that need access without user interaction. Apps use their client credentials to obtain access tokens.

Three-Legged OAuth (Authorization Code Flow)

Used when user login and consent is required. Apps request authorization from the user and exchange the authorization code for an access token.

Scopes & Permissions

OAuth scopes control what an application can access. In SMART on FHIR, scopes follow the format:

context/resource.access

Where:

context: patient, user, or system

resource: A specific FHIR resource (e.g. Condition) or * for all

access: read, write, or * for both

Examples

Scope	Description
patient/Condition.read	Read Condition data for the current patient
system/Observation.read	Read all Observations across patients
user/.	Read and write all user-authorized resources
openid fhirUser	Request user identity and profile
launch	Get context during launch from within the EHR
launch/patient	Request patient selection during standalone launch
offline_access	Enables long-lived access via refresh token
online_access	Refresh tokens valid while the user is online

Scope Evaluation Logic

When scopes are requested, the authorization server checks:

If the scopes are present in the request

If the client is approved to request those scopes

If end-user consent (when required) was granted

Scopes that are not approved or explicitly denied will not be included in the token. Apps can inspect granted scopes using token introspection.

Wildcard Scope Expansion

Edvak Health supports wildcard expansion for patient, user, and system contexts.

patient/*.read includes:

patient/Patient.read

patient/Condition.read

patient/Observation.read

patient/MedicationRequest.read

patient/Procedure.read

...and others

user/*.read includes:

user/AllergyIntolerance.read

user/CarePlan.read

user/DocumentReference.read

user/ServiceRequest.read

...and others

system/*.read includes:

system/Medication.read

system/Patient.read

system/Organization.read

system/Encounter.read

...and others

SMART on FHIR Authorization Workflow

Applications may be launched from within Edvak Health EHR or as standalone apps.

Initiating Authorization

Apps construct a request to Edvak's authorization endpoint with:

response_type: code

client_id: App client ID

redirect_uri: Must match a registered redirect URI

scope: Requested permissions (e.g. openid patient/*.read)

state: CSRF protection value

aud: Base URL of the Edvak FHIR API

code_challenge & code_challenge_method: For PKCE (public clients)

End-User Authorization

Edvak presents a login and consent screen. Based on the response:

If granted: an authorization code is sent to the app’s redirect URI

If denied: an error response is returned

Exchanging Authorization Code for Access Token

Apps exchange the code for an access token:

Token Response Includes:

access_token: Required for accessing APIs

token_type: Always "Bearer"

expires_in: Token lifetime (in seconds)

scope: Granted scopes

refresh_token: If offline or online access was requested

id_token: If OpenID Connect identity was requested

Refreshing an Access Token

Access tokens issued by Edvak EHR are short-lived and designed to expire after a defined period, typically within 90 days, although this duration can vary based on organizational security policies.

To maintain continuous access without requiring a new user login, your application can use a refresh token to request a new access token from Edvak’s authorization server. Refresh tokens are designed for one-time use only — once used, they are immediately invalidated.

Each time a refresh token is successfully exchanged, the system issues a new refresh token, replacing the previous one. This rotation mechanism is a key security feature that reduces the risk of token theft or misuse. Generally, a refresh token remains valid for about 30 days, but any attempt to reuse a previous token will result in the associated access token being revoked.

Warning: Avoid Reusing Refresh Tokens

If a refresh token is reused — either intentionally or due to parallel requests — the system will:

Immediately invalidate that refresh token

Revoke all active access tokens issued through it

Block further token refresh attempts using that token

For this reason, it's critical to handle refresh tokens in a single-threaded or locked manner to prevent simultaneous use. Always securely store and replace tokens after each use.

POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
refresh_token=YOUR_REFRESH_TOKEN
client_id=CLIENT_ID        (required for public apps)
client_secret=CLIENT_SECRET  (required for confidential apps)

Token Security Requirements

Access tokens expire after ~1 hour

Refresh tokens may be valid up to 90 days

Always use HTTPS when exchanging or storing tokens

Tokens must be stored in secure app-specific storage

Responses include:

Cache-Control: no-store

Pragma: no-cache

JWKS (Optional Asymmetric Authentication)

Edvak EHR supports public/private key pair authentication using JWKS (JSON Web Key Sets) for confidential clients.

To register your JWKS URI or public key, contact:
[email protected]

Accessing FHIR Resources

API calls require a valid access token:

GET https://fhir-dev.edvak.com/fhir/Patient/123
Authorization: Bearer <ACCESS_TOKEN>

Additional Resources

Overview – Authorization & Security Standards

Technical Standards Followed#

Supported OAuth Authorization Models#

Scopes & Permissions#

Examples#

Scope Evaluation Logic#

Wildcard Scope Expansion#

patient/*.read includes:#

user/*.read includes:#

system/*.read includes:#

SMART on FHIR Authorization Workflow#

Token Response Includes:#

Refreshing an Access Token#

Token Security Requirements#

JWKS (Optional Asymmetric Authentication)#

Accessing FHIR Resources#

Additional Resources#

Technical Standards Followed

Supported OAuth Authorization Models

Scopes & Permissions

Examples

Scope Evaluation Logic

Wildcard Scope Expansion

patient/*.read includes:

user/*.read includes:

system/*.read includes:

SMART on FHIR Authorization Workflow

Token Response Includes:

Refreshing an Access Token

Token Security Requirements

JWKS (Optional Asymmetric Authentication)

Accessing FHIR Resources

Additional Resources