'/%3e%3cpath%20d='M534.104%20592.554C517.522%20607.15%20492.036%20605.65%20479.37%20587.55C432.827%20521.038%20409.925%20440.343%20415.135%20358.545C420.344%20276.748%20453.298%20199.61%20507.904%20139.54C522.764%20123.194%20548.234%20124.939%20562.83%20141.521L608.023%20192.862C622.619%20209.444%20620.638%20234.536%20607.101%20251.994C581.387%20285.156%20565.941%20325.498%20563.237%20367.978C560.53%20410.458%20570.733%20452.433%20592.032%20488.59C603.245%20507.624%20602.027%20532.765%20585.445%20547.361L534.104%20592.554Z'%20fill='url(%23paint1_linear_154_257)'/%3e%3cpath%20d='M404.368%20499.661L455.381%20493.203L438.013%20356L387%20362.458L404.368%20499.661Z'%20fill='white'/%3e%3cpath%20d='M349%20408.709L355.956%20459.657L492.983%20440.947L486.026%20390L349%20408.709Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_154_257'%20x1='170'%20y1='492.5'%20x2='449'%20y2='508.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236648E0'/%3e%3cstop%20offset='1'%20stop-color='%23413AC9'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_154_257'%20x1='429'%20y1='384'%20x2='549.5'%20y2='380.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%235B51FF'/%3e%3cstop%20offset='1'%20stop-color='%233428E6'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
SMART on FHIR Authentication: A Developer's Complete Guide
How SMART on FHIR authentication works — EHR launch vs standalone launch, OAuth 2.0 scopes, token refresh, and the implementation details that trip up engineering teams.
What Is SMART on FHIR?
SMART on FHIR (Substitutable Medical Apps, Reusable Technologies on FHIR) is an open standard for authorizing third-party healthcare applications to access EHR data. It extends OAuth 2.0 with healthcare-specific context — the current patient, encounter, and clinical user are passed as part of the authorization flow.
When a clinician opens your custom application from within Epic's Hyperspace, the EHR sends a launch token to your app. Your app exchanges this token for an access token scoped to that specific patient and session. This is the SMART EHR Launch flow.
The Two Launch Flows
EHR Launch (clinician-facing apps)
The EHR initiates the launch. The user clicks a link inside Epic, the EHR passes a launch parameter to your app, and your app completes the OAuth handshake.
// Step 1: EHR redirects to your launch URL with iss + launch params
// https://yourapp.com/launch?iss=https://epic.org/fhir&launch=abc123
// Step 2: Your app redirects to the EHR's authorization endpoint
const params = new URLSearchParams({
response_type: "code",
client_id: "your-client-id",
redirect_uri: "https://yourapp.com/callback",
scope: "launch openid fhirUser patient/Patient.read patient/Observation.read",
state: generateState(),
aud: issUrl,
launch: launchToken,
});
window.location.href = `${authEndpoint}?${params}`;
Standalone Launch (patient-facing apps)
The app initiates independently. The user opens your app, selects their provider, and the app discovers the EHR's FHIR endpoint via /.well-known/smart-configuration.
Scopes — the Part That Fails App Orchard Review
SMART scopes define exactly which FHIR resources your app can access, following the pattern [context]/[ResourceType].[operation]:
patient/Patient.read— current patient recordpatient/Observation.read— observations for the current patientuser/Appointment.write— write appointments on behalf of the useroffline_access— needed for background processing after the user closes the app
The key mistake: over-requesting scopes. Epic and Cerner audit scope lists during App Orchard review. Request only what you actually use. See the Epic App Orchard approval guide for how scope declarations affect the review timeline.
Token Expiry and Refresh
Epic tokens expire in 8 hours. Cerner's expire in 570 seconds (9.5 minutes). Handle refresh proactively:
import FHIR from "fhirclient";
FHIR.oauth2.ready().then(async (client) => {
const { token_at, expires_in } = client.state.tokenResponse;
const expiresAt = token_at + (expires_in * 1000);
if (Date.now() > expiresAt - 300_000) {
await client.refresh(); // refresh 5 minutes early
}
const patient = await client.patient.read();
});
Any application using SMART on FHIR handles real patient PHI. It must satisfy all HIPAA technical safeguards and have a signed BAA with the health system before going live.
The EHR / EMR Middleware service handles SMART on FHIR authentication so your application code focuses on clinical workflows, not OAuth edge cases.
Related Service
EHR / EMR Middleware
Deep-dive into our engineering approach, capabilities, and technical specifications.
Written by Sheharyar Amin
Founder & Lead Engineer, Opexia