EU Health Data API
0.1.0 - ci-build
150
EU Health Data API
0.1.0 - ci-build
150
EU Health Data API, published by HL7 Europe. This guide is not an authorized publication; it is the continuous build for version 0.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/bvdh/jwg-api/ and changes regularly. See the Directory of published versions
Authorization is required for all API transactions. This IG inherits SMART Backend Services for system-to-system authorization, grouped with IHE IUA actors.
We adopt SMART Backend Services as specified—including token formats, JWT requirements, and authentication methods—to align with globally recognized specifications and reduce implementation burden.
This specification defines system-to-system authorization only:
User-level authorization requirements are not initial scope for this Implementation Guide.
sequenceDiagram
participant Client as IUA Authorization Client
participant AuthZ as IUA Authorization Server
participant Resource as IUA Resource Server
Client->>AuthZ: POST /token (client_credentials, signed JWT)
AuthZ-->>Client: Access Token
Client->>Resource: GET /Patient?identifier=... (Bearer token)
Resource-->>Client: Bundle (search results)
Out of band, the Consumer registers identity credentials (public key, client identifier) with the Access Provider.
Future: Consider UDAP for dynamic client registration. See FHIR UDAP Security IG for more details.
Servers SHALL advertise their authorization configuration at [base]/.well-known/smart-configuration.
Required fields include:
token_endpoint - URL for token requeststoken_endpoint_auth_methods_supported - Must include private_key_jwtscopes_supported - Recommended to list supported scopesSee SMART Backend Services Discovery for the full specification.
The Authorization Server issues access tokens to registered clients using the client_credentials grant.
Servers SHALL:
iss, sub, aud, exp, jti)Clients obtain tokens by POSTing to the token endpoint discovered via .well-known/smart-configuration.
Token Request:
client_credentialsServers SHALL validate tokens on every API request:
exp claim)aud matches server)Clients present tokens using the Authorization header:
Authorization: Bearer <access_token>
Tokens must be presented on all API requests to protected resources.
Scopes follow SMART v2 conventions and align with required MHD and QEDm transactions:
system/DocumentReference.c - Create DocumentReferencesystem/Binary.c - Create Binarysystem/Patient.rs - Read/search Patient (for patient matching)system/Patient.rs - Read/search Patientsystem/DocumentReference.rs - Read/search DocumentReferencesystem/Binary.r - Read Binarysystem/Patient.rs - Read/search Patientsystem/Observation.rs, system/Condition.rs, system/DiagnosticReport.rs, etc..r = read.s = search.rs = read and search.c = createAll API communications SHALL use TLS 1.2 or higher.
Server Requirements:
Certificate Requirements:
User-level authorization (including patient-mediated access) is out of scope for this version of the implementation Guide. For patient-mediated access patterns, readers are encouraged to consider SMART on FHIR App Launch and International Patient Access. Integration with the EU Digital Identity Wallet and eIDAS framework may be addressed in future editions.
Member States MAY layer user-level authorization on top of system-to-system authorization as appropriate for their national infrastructure.
IG © 2025+ HL7 Europe.
Package hl7.fhir.eu.euridice-api#0.1.0 based on FHIR 4.0.1.
Generated
2026-01-30
