Intro FHIR Queries with OAuth2
This guide will help you get started using any standard FHIR API server with OAuth2 for authorization. This flow is the recommended method for securing API endpoints while making them accessible to consumer applications.

Setup

For any server you'll want to have these constants (client_id / client_secret) in place. If you would like OAuth client keys to the 1upHealth API, create an account, visit our developer console and create a new application.
1
client_id = 'clientidclientidclientid'
2
client_secret = 'clientsecretclientsecret'
3
4
token_url = https://auth.1up.health/oauth2/token
5
api_url = https://api.1up.health/
6
scope = user/*.*
Copied!

Get your app's auth tokens

These steps will enable your app to access data on behalf of the patient (or user) using credentials that only grant you to that user's data. You'll have to repeat this for each user whose data you want to consume. 1upHealth works behind the scenes and allows you to be in control of user permissions via the user-management API. You can also test out these steps via Postman by downloading our collection here.
    1.
    First, create a user on 1upHealth. An application can create users via the following call. Each response will contain the new user's oneup_user_id, access_token, refresh_token, and app_user_id. The app_user_id helps you keep track of users between the 1up API and your own user management system.
1
curl -X POST "https://api.1up.health/user-management/v1/user" \
2
-d "app_user_id=myappsuserid" \
3
-d "client_id=clientidclientidclientid" \
4
-d "client_secret=clientsecretclientsecret"
Copied!
You will receive a response like this
1
{
2
success: true,
3
code: 'accesscodeaccesscodeaccesscode',
4
oneup_user_id: 251,
5
app_user_id: '1499270216467',
6
active: true
7
}
Copied!
    1.
    After you create a user, your app receives a code. For each user, the 'code' variable is the OAuth2 access code. You will exchange the 'code' to get the OAuth2 access token. The access_token and refresh_token will be used to gain access to the user's data. Keep secure. Use the code in this request:
1
curl -X POST https://auth.1up.health/oauth2/token \
2
-d "client_id=clientidclientidclientid" \
3
-d "client_secret=clientsecretclientsecret" \
4
-d "code=accesscodeaccesscodeaccesscode" \
5
-d "grant_type=authorization_code"
Copied!
it returns something like
1
{
2
"refresh_token": "b23ae107a6584fecab17826537f464cf",
3
"token_type": "bearer",
4
"access_token": "add72ae475214adc83ea227c21fee0e5",
5
"expires_in": 7200
6
}
Copied!
    1.
    Once 7200 seconds passes, the access_token will no longer be valid. To get a new token, you'll have to use your refresh token via this call.
1
curl -X POST https://auth.1up.health/oauth2/token \
2
-d "client_id=clientidclientidclientid" \
3
-d "client_secret=clientsecretclientsecret" \
4
-d "refresh_token=b23ae107a6584fecab17826537f464cf" \
5
-d "grant_type=refresh_token"
Copied!
It returns something like this:
1
{
2
"refresh_token":"691d984c43ef4a0593ea997750a2d4c3",
3
"token_type":"bearer",
4
"access_token":"6fe79505699b471a91187864212a111b",
5
"expires_in":7200
6
}
Copied!
4) Create FHIR® resources and associate with the user, using the user's token. For example, create a Patient resource, and give the user a name, gender, and age. You get to define your own ID value for the resource. Use the refresh_token and access_token relayed in the previous step's response.
Sample Request:
1
{
2
curl -X POST "https://api.1up.health/dstu2/Patient"
3
-H "Content-Type: application/json"
4
-H "Authorization: Bearer 94b760b2dff748f992dc8e52e9a5bd51"
5
-d '{
6
"resourceType": "Patient",
7
"id": "helloiamatestpatient",
8
"gender": "female"
9
}'
10
}
Copied!
Sample Response:
1
{
2
"resourceType": "Patient",
3
"id": "helloiamatestpatient",
4
"meta": {
5
"versionId": "9000000000002",
6
"lastUpdated": "2019-03-19T21:10:19.727Z"
7
},
8
"gender": "female"
9
}
Copied!
5) Query the user resource for Patient that you just created by using its ID and the user token. You’ll only see basic data with this endpoint. Once you add a health system EHR, you’ll query other endpoints to get more data.
1
{
2
curl -X GET "https://api.1up.health/dstu2/Patient/helloiamatestpatient"
3
-H "Authorization: Bearer accesstokenaccesstokenaccesstoken"
4
}
Copied!
Sample Response:
1
{
2
"resourceType": "Patient",
3
"id": "helloiamatestpatient",
4
"meta": {
5
"versionId": "9000000000002",
6
"lastUpdated": "2019-03-19T21:10:19.727Z"
7
},
8
"gender": "female"
9
}
Copied!

Pull clinical data from EHRs

If you want to get existing data from patients that are already at some of the health systems we support via FHIR, you can use our EHR data connect API.
Last modified 5mo ago