Verify Access

Scopes determine which FHIR resources and operations your application can access. Each access token returned by the Health Gorilla authorization server includes a set of scopes provisioned for your use case. If your request does not match one of the assigned scopes, the server returns a 403 Forbidden response.

OAuth 2.0 scopes are assigned when your credentials are created. You use the client credentials flow to obtain a token—this is a machine-to-machine authentication method that authorizes your system without user interaction. For more information, go to: Technical Foundations > OAuth 2.0 Authentication.

To verify and test your assigned OAuth scopes

Request an access token using the client credentials flow. In the response, locate the scope field to confirm your assigned scopes.

Example response:

{
  "access_token": "eyJ...abc",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "patient.read documentreference.read"
}

Send a request to a FHIR resource that matches one of your scopes. For example, if your token includes patient.read, use the following request.

GET /fhir/R4/Patient/12345 HTTP/1.1
Authorization: Bearer {access_token}
Accept: application/fhir+json

Confirm that the server returns a 200 OK response, indicating that your token is valid for the requested resource.
Attempt a request to an endpoint outside your assigned scopes. For example, if your token does not include observation.read, the following request should fail.

GET /fhir/R4/Observation?patient=12345

Example error response:

{
  "resourceType": "OperationOutcome",
  "issue": [
    {
      "severity": "error",
      "code": "forbidden",
      "diagnostics": "Access denied due to missing scope: observation.read"
    }
  ]
}