Authentication and scope model for external applications
External developers authenticate with SMART on FHIR Authorization Code + PKCE. Tokens are validated by the proxy before access is granted to upstream FHIR APIs.
OAuth endpoints
| Example | Value |
|---|---|
| Authorize | /AadSmartOnFhirProxy/authorize |
| Token | /AadSmartOnFhirProxy/token |
| FHIR base | /fhir |
| Discovery | /fhir/metadata |
Core SMART scopes
| Example | Value |
|---|---|
| Baseline | user_impersonation |
| Launch | launch, launch.patient |
| Patient | patient.*.read |
| Extensions | Additional read scopes by approval |