HiMS API Documentation

SMART on FHIR applications need to be registered with HiMS before they can be used. To start the registration process, please contact us. HiMS will check your request and if you are approved you will receive an OAuth client_id to use on subsequent requests following the protocols specified in the official SMART App Authorization Guide. HiMS APIs are authenticated using the OAuth 2.0 protocol.

All API requests must include an Authorization header with an Access Token of the form:

  Authorization: Bearer MY_JWT_TOKEN
                    

Confidential clients, such as web apps, which are capable of securely storing credentials will be issued a client_secret that may be used in conjunction with the client_id to form an authorization grant, which can be used to obtain refresh and access tokens. Our refresh tokens are long-lived and conform to Health IT criteria documented here. Public applications, such as native apps, which are incapable of securely storing credentials will not be issued a client_secret. Instead, the authorization_code grant flow will be used to issue refresh tokens. As recommended in the OAuth 2.0 Authorization Framework spec (RFC 6749), we require additional security measures when issuing refresh tokens to native applications. Specifically, we enforce refresh token rotation for all public applications, which is an auth flow in which each refresh token issued is valid for one use only. Whenever a public application uses a refresh token to request an access token, a new refresh token will be returned in the response body in addition to the requested access token.