Authorization

For a client application to access REST API resources, it must be authorized as a safe visitor. To implement this authorization, use a connected app and an OAuth 2.0 authorization flow.

A connected app requests access to REST API resources on behalf of the client application. For a connected app to request access, it must be integrated with your org’s REST API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens.

For instructions to configure a connected app, see Create a Connected App in Salesforce Help. Specifically, follow the instructions in Enable OAuth Settings for API Integration.

A connected app can use the OAuth authorization protocol to access protected resources. As part of the protocol, OAuth default scopes fine-tune the app’s permissions to access protected resources in Salesforce. However, these default scopes are insufficient when an external entity hosts the protected resource. In this scenario, Salesforce plays the role of OAuth authentication and authorization provider, but it has little knowledge about the resource it’s protecting. To define a connected app’s permissions to access protected resources hosted by an external entity, create an OAuth custom scope. The custom scope tells the external entity which information the connected app is authorized to access.

The following custom scopes are available for the Healthcare APIs:

ResourceMethodCustom ScopesDescription
MedicationGETuser_medication_read OR user_all_read OR system_all_readAllows read access to the Medication resource.
POSTuser_medication_write OR user_all_write OR system_all_writeAllows write access to the Medication resource.
ConditionGETuser_condition_read OR user_all_read OR system_all_readAllows read access to the Condition resource.
POSTuser_condition_write OR user_all_write OR system_all_writeAllows write access to the Condition resource.
AllergyIntoleranceGETuser_allergyIntolerance_read OR user_all_read OR system_all_readAllows read access to the AllergyIntolerance resource.
POSTuser_allergyIntolerance_write OR user_all_write OR system_all_writeAllows write access to the AllergyIntolerance resource.
ProcedureGETuser_procedure_read OR user_all_read OR system_all_readAllows read access to the Procedure resource.
POSTuser_procedure_write OR user_all_write OR system_all_writeAllows write access to the Procedure resource.
ClaimPOSTsystem_claim_read OR system_all_readAllows read access to the Claim resource.
POSTsystem_claim_write OR system_all_writeAllows write access to the Claim resource.

For instructions on how to create custom scopes in the Salesforce org, see OAuth Tokens and Scopes and Create a OAuth Custom Scope in Salesforce Help.

After you create an OAuth custom scope in your Salesforce org, you can assign it to a connected app to set data-access permissions for the app.
Note - You must assign the refresh_token scope to the connected app. For detailed instructions, see Assign an OAuth Custom Scope to a Connected App in Salesforce Help.

OAuth authorization flows grant a client app restricted access to REST API resources on a resource server. Each OAuth flow offers a different process for approving access to a client app, but in general the flows consist of three main steps.

  1. To initiate an authorization flow, a connected app on behalf of a client app requests access to a REST API resource.
  2. In response, an authorizing server grants access tokens to the connected app.
  3. A resource server validates these access tokens and approves access to the protected REST API resource.

After reviewing and selecting an OAuth authorization flow, apply it to your connected app. For details about each supported flow, see OAuth Authorization Flows in Salesforce Help.