Into into FHIR API Queries with OAuth2

This guide will help you get started using any standard FHIR API server with OAuth2 for authorization. This flow is the recommended method for securing API endpoints while making them accessible to consumer applications.

Setup

For any server you'll want to have these constants (client_id / client_secret) in place. If you would like OAuth client keys to the 1upHealth API, create an account, visit our developer console and create a new application.

client_id = 'clientidclientidclientid'  
client_secret = 'clientsecretclientsecret'  

token_url = https://api.1up.health/fhir/oauth2/token  
api_url = https://api.1up.health/fhir  
scope = user/*.*  

Get your app's auth tokens

These steps will enable your app to access data on behalf of the patient (or user) using credentials that only grant you to that user's data. You'll have to repeat this for each user whose data you want to consume. 1upHealth works behind the scenes and allows you to be in control of user permissions via the user-management api.

  1. First, create a user on 1upHealth. An application can create users via the following call. Each response will contain the new user's oneup_user_id, access_token, refresh_token, and app_user_id. The app_user_id helps you keep track of users between the 1up API and your own user management system.
curl -X POST "https://api.1up.health/user-management/v1/user" \
  -d "app_user_id=myappsuserid" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

You will receive a response like this

{
  success: true,
  code: 'accesscodeaccesscodeaccesscode',
  oneup_user_id: 251,
  app_user_id: '1499270216467',
  active: true
}
  1. After you create a user, your app receives a code. Use the code in this request ...
curl -X POST https://api.1up.health/fhir/oauth2/token \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret" \
  -d "code=accesscodeaccesscodeaccesscode" \
  -d "grant_type=authorization_code"

it returns something like

{  
  "refresh_token": "b23ae107a6584fecab17826537f464cf",  
  "token_type": "bearer",  
  "access_token": "add72ae475214adc83ea227c21fee0e5",  
  "expires_in": 7200
}
  1. Once 7200 seconds passes, the access_token will no longer be valid. To get a new token, you'll have to use your refresh token via this call.
curl -X POST https://api.1up.health/fhir/oauth2/token \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret" \
  -d "refresh_token=b23ae107a6584fecab17826537f464cf" \
  -d "grant_type=refresh_token"

it returns something like this

{
  "refresh_token":"691d984c43ef4a0593ea997750a2d4c3",
  "token_type":"bearer",
  "access_token":"6fe79505699b471a91187864212a111b",
  "expires_in":7200
}

Use the API

  1. POST a resource
curl -X POST https://api.1up.health/fhir/dstu2/Patient \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer 94b760b2dff748f992dc8e52e9a5bd51" \
  -d '{"resourceType": "Patient","id": "helloiamatestpatient","gender": "female"}'
  1. GET a resource
curl -X GET https://api.1up.health/fhir/dstu2/Patient/helloiamatestpatient \
  -H "Authorization: Bearer 94b760b2dff748f992dc8e52e9a5bd51"

Pull clinical data from EHRs & sensor data from devices

If you want to get existing data from patients that are already at some of the health systems we support via FHIR, you can use our EHR / Sensor data connect API.