OAuth 2.0

Health Gorilla APIs use the OAuth 2.0 protocol to authenticate client applications and authorize access to protected clinical data.

All requests to Health Gorilla endpoints must include a valid OAuth access token. Access tokens are issued by the Health Gorilla authorization server and grant time-limited access based on assigned scopes, user permissions, and tenant context.

OAuth is required to access:

• FHIR R4 REST APIs
• Asynchronous STU3 workflows
• Network and reporting services
• Other protected platform endpoints

Access control is enforced at multiple levels:

• Client-level authorization: Scopes assigned to a client application during registration define which APIs the application may invoke.
• User-level permissions: When applicable, the authenticated user’s role within a tenant determines what data and actions are permitted within the scope of the issued token.

Scopes define API access boundaries. User roles define what operations are permitted within a tenant. A valid token must satisfy both layers of authorization.

Before accessing Health Gorilla APIs, your organization must obtain OAuth 2.0 client credentials. To request credentials, contact your Client Success Manager or submit your information through the Health Gorilla contact form.

During registration, you must provide one or more callback (redirect) URLs that will be permitted in OAuth flows. You may also provide a default callback URL, an attribution logo displayed during authorization, and a website URL identifying your application.

Upon approval, Health Gorilla will issue a client_id, a confidential client_secret, and a set of assigned scopes that define the APIs your application is authorized to access. The client_secret must be stored securely and must not be exposed in client-side code.

For endpoint parameters, request formats, and response schemas, go to API Reference > OAuth 2.0 Authentication.