Reference Implementation installation instructions

Security guide

The following descriptions provide a high level overview of what can be accessed with the security access provided to access the Care Connect Reference Implementation.

Security architecture

  1. The data exposed by the secure Requests are identical to the standard REST Requests of the FHIR Care Connect API. The scopes demonstrated within the security demonstrate profile restriction on the HTTP REST API of a specific user/system/role. This will depend on specific systems.

  2. The Reference Implementation provides examples based on restricted Users. Each User has a set of Scopes and in order to access certain Profiles the user requires a specific Scope on their profile.

  3. The security is managed by a OAuth2 Server. We have setup ours on a separate box or you can follow the instructions provided by the Care Access Service (coming soon). Before your application can access secured Reference Implementation API data, it must obtain an access token that grants access to that API. A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access-token request, your application sends one or more values in the scope parameter.

  4. At the moment these scopes are restricted to the examples shown. In future it might be possible to dynamically create Scopes on profiles. The Reference Implementation provides a demonstration of OAuth2 Users & Scopes.

  5. To aid in the use of OAuth2 with the Reference Implementation we have provided a step by step guide on using Postman to Authentice and connect with the Care Connect Reference Implementation.

Resource scopes

Resource scope required to access (at least 1 of)

Resource name Permitted scopes
Patient user/
Observation user/
Encounter user/
Condition user/
Procedure user/
AllergyIntolerance user/
MedicationRequest user/
MedicationStatement user/
Immunization user/

Postman usage examples

The following screenshots show how to use the Care Connect Reference Implementation via Postman. The 6 steps shown below are:

  1. Access Secure Endpoint
  2. Select OAuth2
  3. Get New Access Token
  4. Request Token - please use list of Security Scopes
  5. Use Access Token
  6. Send Secure Request

Get new access token

Access Secure Endpoint & Select OAuth2

Access Secure Endpoint

Create Access Token

Use Access Token

Please click the Security Scopes for a list of example scopes and access tokens.

Get New Access Token (expiry 90 mins), copy the details below this screenshot.

Get New Access Token

Create Access Token example for Patient only access, please see Security Scopes for more example scopes:

Credentials Details (Please copy all details)
Grant Type Client Credentials
Token name (example) OAuth2-PatientAccess
Access Token URL
Client ID a24a4d9f-c264-4af7-a8e5-248c24a6b707
Client Secret MMpAOGBljYcEzBfn7q9-xgJqBlmR0BSiEyCrCjNNOUpR78kZtzqgKKU_4FgGRFNWbtc6jPIErLwoYwRgnlvijA
Client Authentication ‘Send as Basic Auth header’

There are three steps the first time you use the token with the Reference Implementation:

  1. Get new access token
  2. Ensure you only have one active token (expiry every 90 mins)
  3. Use the access token in a Request (The URL is the same as before but with the https:// prefix)

Use Access Token

Send Request

Send Secure Request

Send Secure Request

Current Version

Check out Versions for more information about the current released version, downloading options, use and future verions.


This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.

guide Engage Clinical scenarios User stories Case Studies Benefits Clinical inspiration Explore Impl Guide Resource Profiles API definitions Search parameters Value sets Design & Build Build APIs Search Ex. Code examples Validation tools Security examples Test Test data Security tests Reference servers Secure store Example data Assure Automated tests Test Reports Test Evidence Conformance reports Assurance checklist Deploy (Pilot) API harness Warranted environment IG / IS Spine comms Record locator Deploy (Live) Registry Monitor Support Conformance statement Extensions