Scopes and Access
OAuth scopes define what your application can access and how. Scopes are granted when tokens are issued and determine which FHIR resources are available and whether data can be read, written, or both.
Scope Types
- Read scopes Allow applications to retrieve data (for example,
patient/Observation.readoruser/*.read). - Write scopes Allow applications to create or update data (for example,
patient/Condition.writeoruser/*.write). - Launch scopes Used in SMART on FHIR flows to convey launch context (for example,
launch,launch/patient,launch/encounter). - Offline access scope Enables refresh token issuance for long-lived or background sessions (
offline_access).
Scope Naming Examples
| Scope | Description |
|---|---|
patient/*.read | Read access to all FHIR resources for a single patient |
user/Patient.read | Read access to Patient resource for all patients, based on user context |
system/Observation.write | System-level write access to Observations |
launch/patient | Requests patient context during SMART on FHIR app launch |