App Onboarding Process
1. Develop your client
The Interoperability Engine Public API documentation and terms for third-party client application developers can be found here: http://www.interopengine.com/2017. This is the documentation needed to build a client application that leverages health data made available by Data Holders with EMR Direct Interoperability Engine.
Consider whether the app will use authorization code flow with username/password provided by the Data Holder (for example, patient portal credentials used by patients) or client credentials flow (when an end user is not present to enter credentials or an enterprise/client-level authorization is appropriate). If the app's use case requires client credentials and the Data Holder supports access by your app using client credentials, implement UDAP JWT-based Authentication using a trusted certificate:
Use of client credentials grant requires an out of band registration process to obtain the certificate (see #2 below). UDAP JWT-based Authentication is also used with authorization code flow in UDAP workflows.
Be sure to follow best practices for making users aware of the app's security and data management policies. If the app's use goes beyond individual access to a patient's own data, enter into any necessary agreements with the Data Holder prior to requesting data.
2. Register your client with EMR Direct
Client applications intended for use with a patient's own credentials as part of SMART Authorization Code Flow need only register dynamically according to Interoperability Engine 2017 public API documentation and the referenced OAuth Dynamic Client Registration standard. For client applications that do not support Dynamic Client Registration or wish to use client credentials, manual registration and UDAP certificates are available at:
Please see the related note on "Requirements for Client Registration" for additional information.
3. Make FHIR data requests
If the app was manually registered with EMR Direct, use UDAP JWT-Based Client Authentication to submit a signed authentication token and obtain an access token (steps 3-7 of the profile), then proceed with authorization code flow.
Did this article answer your question? If not, please contact us.