Authentication and Authorization
Health Gorilla APIs use an OAuth 2.0–based authentication model to control access to clinical data across sandbox and production environments. Authentication relies on short-lived JWT assertions that are exchanged for OAuth access tokens, which are required for all downstream API requests. Authorization scopes and supported flows vary by API, environment, and tenant configuration.
Overview
Describes the end-to-end authentication model, including how JWT assertions, the OAuth token endpoint, and access tokens interact to authorize API calls.
Assertions vs Tokens
Clarifies the functional and lifecycle differences between JWT assertions and OAuth access tokens, including how each is generated and used.
Generating JWT Assertions
Explains how to generate JWT assertions using jwtoken.html, including required fields, correct claim values, and UI-specific behavior.
OAuth Token Exchange
Details the supported OAuth token exchange flows, required parameters, and request formats for obtaining access tokens.
Troubleshooting
Documents common authentication failures, root causes, and corrective actions based on real onboarding and integration scenarios.