NeurixaHealthAI logo
HomeFrameworksSMART on FHIR
SMART on FHIR

Secure Access to Clinical Data.
For Every App. Every User.

NeurixaHealthAI™ implements the full SMART on FHIR specification — EHR launch, standalone launch, backend services, and SMART Health Cards — so your apps get the right data for the right user at the right time.

Secure healthcare app authentication with two-factor verification
200+
OAuth 2.0 scopes
OAuth 2.0
Authorization standard
200+
SMART scopes supported
<100ms
Token issuance latency
PKCE
Secure auth code flow
The Authorization Problem
  • Custom auth implementations for every EHR integration
  • No standard way to pass patient context to third-party apps
  • Broad database credentials instead of scoped API access
  • No patient consent layer for data sharing decisions
  • Backend service auth relies on shared secrets and VPNs
With NeurixaHealthAI™ SMART
  • Single SMART authorization server for all EHR integrations
  • Patient and encounter context delivered automatically at launch
  • Granular resource-level scopes — least-privilege by default
  • FHIR Consent resources track every data sharing decision
  • JWT client assertions for secure server-to-server access

Capabilities

The Complete SMART on FHIR Stack

Every component of the SMART on FHIR specification — from app registration to token revocation — built, maintained, and monitored by NeurixaHealthAI™.

EHR Launch & Standalone

Full support for both EHR launch (app launched from within the EHR with patient context) and standalone launch flows with PKCE and state validation.

Granular SMART Scopes

Resource-level read/write scopes (patient/Observation.read, user/MedicationRequest.write) plus system-level scopes for backend service access.

Patient & User Contexts

Launch contexts carry patient, encounter, and user identifiers. Apps receive pre-populated context without additional API calls.

SMART Backend Services

Asymmetric key authentication (JWT client assertions) for server-to-server access — enabling bulk data export and population-level AI workflows.

Token Refresh & Revocation

Automatic access token refresh with configurable expiry. Instant token revocation on logout or security events with audit logging.

Multi-Tenant Authorization

Tenant-isolated authorization servers with per-tenant scope policies, allowed app registries, and custom consent workflows.

Consent Management

Patient-facing consent UI for data sharing decisions. Granular consent records stored as FHIR Consent resources with full audit trail.

App Registration Portal

Self-service app registration with redirect URI validation, scope request review, and automated sandbox provisioning for developers.

SMART Health Cards

Issue and verify SMART Health Cards (W3C Verifiable Credentials) for vaccination records, lab results, and insurance verification.

Authorization Scopes

Granular SMART Scope Support

200+ SMART scopes supported. Resource-level, user-level, and system-level scopes for every clinical data access pattern.

patient/Patient.read
Read patient demographics
patient/Observation.read
Read lab results, vitals
patient/Condition.read
Read diagnoses, problems
patient/MedicationRequest.read
Read prescriptions
patient/Coverage.read
Read insurance coverage
user/Encounter.write
Write encounter records
system/Patient.read
Backend patient access
system/*.read
Backend full read access
launch/patient
Receive patient context
launch/encounter
Receive encounter context
openid profile
User identity claims
offline_access
Refresh token access

Authorization Flow

From Launch to Authorized API Access

01

App Registration

Developer registers app in the SMART portal. Redirect URIs, requested scopes, and launch types configured and reviewed.

02

Launch Initiated

EHR launches app with iss and launch parameters, or user navigates directly for standalone launch. PKCE code verifier generated.

03

Authorization Request

App redirects to authorization endpoint with requested scopes and PKCE code challenge. Patient and encounter context pre-populated.

04

User Consent

Clinician or patient reviews requested scopes and grants consent. Consent recorded as FHIR Consent resource.

05

Token Issuance

Authorization code exchanged for access token, ID token, and optional refresh token. Launch context embedded in token response.

06

FHIR API Access

App calls FHIR API with Bearer token. Scopes enforced at resource level. All access logged as AuditEvent resources.

Ready to Secure Your Clinical App Access?

Register your app in the NeurixaHealthAI™ SMART portal and get sandbox credentials in minutes. Production launch in days.