Intro into FHIR API Queries with OAuth2

This guide will help you get started using any standard FHIR API server with OAuth2 for authorization. This flow is the recommended method for securing API endpoints while making them accessible to consumer applications.

Create a developer account


For any server you'll want to have these constants (client_id / client_secret) in place. If you would like OAuth client keys to the 1upHealth API, create an account, visit our developer console and create a new application.

client_id = 'clientidclientidclientid'  
client_secret = 'clientsecretclientsecret'  

token_url =  
api_url =  
scope = user/*.*  

Get your app's auth tokens

These steps will enable your app to access data on behalf of the patient (or user) using credentials that only grant you to that user's data. You'll have to repeat this for each user whose data you want to consume. 1upHealth works behind the scenes and allows you to be in control of user permissions via the user-management API. You can also test out these steps via Postman by downloading our collection here

  1. First, create a user on 1upHealth. An application can create users via the following call. Each response will contain the new user's oneupuserid, accesstoken, refreshtoken, and appuserid. The appuserid helps you keep track of users between the 1up API and your own user management system.
curl -X POST "" \
  -d "app_user_id=myappsuserid" \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret"

You will receive a response like this

  success: true,
  code: 'accesscodeaccesscodeaccesscode',
  oneup_user_id: 251,
  app_user_id: '1499270216467',
  active: true
  1. After you create a user, your app receives a code. Use the code in this request …
curl -X POST \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret" \
  -d "code=accesscodeaccesscodeaccesscode" \
  -d "grant_type=authorization_code"

it returns something like

  "refresh_token": "b23ae107a6584fecab17826537f464cf",  
  "token_type": "bearer",  
  "access_token": "add72ae475214adc83ea227c21fee0e5",  
  "expires_in": 7200
  1. Once 7200 seconds passes, the access_token will no longer be valid. To get a new token, you'll have to use your refresh token via this call.
curl -X POST \
  -d "client_id=clientidclientidclientid" \
  -d "client_secret=clientsecretclientsecret" \
  -d "refresh_token=b23ae107a6584fecab17826537f464cf" \
  -d "grant_type=refresh_token"

it returns something like this


Use the API

  1. POST a resource
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer 94b760b2dff748f992dc8e52e9a5bd51" \
  -d '{"resourceType": "Patient","id": "helloiamatestpatient","gender": "female"}'
  1. GET a resource
curl -X GET \
  -H "Authorization: Bearer 94b760b2dff748f992dc8e52e9a5bd51"

Pull clinical data from EHRs

If you want to get existing data from patients that are already at some of the health systems we support via FHIR, you can use our EHR data connect API.