Get the Token

After completing the SMART on FHIR authorization flow, the user is redirected to your system with an authorization code. Your application must exchange this code for an access token before launching the Patient Chart.

To exchange the authorization code

Receive the code and state parameters at your registered redirect_uri. Note: Health Gorilla redirects the browser to your registered URI with the code needed for token exchange and the state value you originally passed for session verification.
Send a POST request to the token endpoint from your backend. Use https://api.healthgorilla.com/oauth2/token with Content-Type: application/x-www-form-urlencoded.
Include the following parameters in the request body:

grant_type=authorization_code
code=YOUR_AUTHORIZATION_CODE
redirect_uri=YOUR_REGISTERED_REDIRECT_URI
client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRET (if you use a confidential client)

Parse the token response returned by Health Gorilla. If the request is successful, the response includes:

access_token
refresh_token (if issued)
expires_in (token lifetime in seconds)
scope
token_type (usually Bearer)

Store the token securely for authorized API access. Use the access_token in session or request headers. If a refresh_token is provided, save it securely for future token renewal.