Request

Once the application has successfully received an authorization code via the authorization endpoint, it must exchange this code for an access token. This is done by making a POST request to the EHR's token endpoint using the application/x-www-form-urlencoded content type.

Client Authentication:

For confidential apps, use HTTP Basic Authentication in the request header. The format is:

Authorization: Basic Base64Encode(client_id:client_secret)

Example:
If your client_id is my-app and client_secret is my-app-secret-123, the encoded value would be:

Authorization: Basic bXktYXBwOm15LWFwcC1zZWNyZXQtMTIz

For public apps, the client_id is passed as a parameter in the request body, and no authentication header is required since these clients do not have a client secret.

POST /realms/EDVAK/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

code=abc123&
code_verifier=xyz456&
grant_type=authorization_code&
redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&
client_id=my-public-client

Request

Authorization

Add the parameter

Authorization

to Headers，whose value is to concatenate the Token after the Bearer.

Example:

Authorization: Bearer ********************

Header Params

Content-Type

string

required

Example:

application/x-www-form-urlencoded

Body Params application/x-www-form-urlencoded

grant_type

string

required

Example:

authorization_code

code

string

required

The authorization code previously obtained from the authorization step.

Example:

<code>

redirect_uri

string

required

This must match the redirect URI used in the original authorization request to ensure request integrity.

Example:

<redirect_uri>

code_verifier

string

required

Used to validate the code_challenge previously provided in the authorization request. This is part of the PKCE protocol.

Example:

<code_verifier>

client_id

string

optional

Required only for public clients (those without a client secret). Confidential clients typically authenticate using basic authentication instead.

Example:

<client_id>

Responses

🟢200Success

application/json

Body

message

string

required

token

object

required

access_token

string

required

expires_in

integer

required

refresh_expires_in

integer

required

refresh_token

string

required

token_type

string

required

not-before-policy

integer

required

session_state

string

required

scope

string

required

patient

string

required

tenant

string

required

Example

{
  "message": "Token generated successfully",
  "token": {
    "access_token": "ey2e8mzoih38wLeJH50QsrWpYkIL0p8c8Jr5.lxBJ4xUHUdrVf1uP76yow7jxaeOgXCpzby1oZiB4eaAOj4Z3TaKF460EH2H3Rnp3rblBkys9l1PjCzWS.ehdIzNVT4385CrKXlEIQ8gtlo4Y0MyBI0kY5Dt5B...",
    "expires_in": 900,
    "refresh_expires_in": 8208000,
    "refresh_token": "ey2e8mzoih38wLeJH50QsrWpYkIL0p8c8Jr5.lxBJ4xUHUdrVf1uP76yow7jxaeOgXCpzby1oZiB4eaAOj4Z3TaKF460EH2H3Rnp3rblBkys9l1PjCzWS.ehdIzNVT4385CrKXlEIQ8gtlo4Y0MyBI0kY5Dt5B...",
    "token_type": "Bearer",
    "not-before-policy": 1741856296,
    "session_state": "712430d3-da39-4cad-884b-862d32ac9c6d",
    "scope": "patient/MedicationDispense.rs profile patient/Patient.rs tenant patient/ServiceRequest.rs patient fhirUser patient/Coverage.rs email",
    "patient": "3",
    "tenant": "TENANT_AB"
  }
}

Client Authentication:#

Request

Responses

Client Authentication: