Secure Quickstart to the Reference Implementation

Security Quickstart

This page describes a quickstart for users of the CCRI to explore a secure API connection to the CCRI. The security challenges are descried in more detail in the Security section of the this Implementation Guide. The rest of this guide concentrates on how to:

  1. Pre-registered OAuth2 Client - Access via Postman
  2. Register OAuth2 Client - Access via an OAuth2 negotiated server

To deploy a live instance of a Care Connect API where data is hosted and shared across system and organisational boundaries, please refer to Security for background and understanding of the security considerations when creating your own implementation.

Pre-registered OAuth2 Client

To Authenticate and connect with the CCRI via Postman emulates how a backend server might establish a secure connection. The following screenshots show how to use the Care Connect Reference Implementation via Postman. The 7 steps shown below are:

  1. Access Secure Endpoint
  2. Select OAuth2
  3. Get New Access Token
  4. Request Token - please use list of Security Scopes
  5. Use Access Token
  6. Send Secure Request

Get new access token

Access Secure Endpoint & Select OAuth2

Access Secure Endpoint

Use Access Token

Please click the Security Scopes for a list of example scopes and access tokens.

Get New Access Token (expiry 90 mins), copy the details below this screenshot.

Get New Access Token

Create Access Token example for Patient only access, please see Security Scopes for more example scopes:

Credentials Details (Please copy all details)
Grant Type Client Credentials
Token name (example) OAuth2-PatientAccess
Access Token URL
Client ID patient-access
Client Secret IShTVi8mRSV7bVREuU1freiDo79y_8fLX3BBw2nf2eIpv9A_r91VlVuF2LOiK_zLZAkBQCusEXLp_o6DEIgvaQ
Client Authentication ‘Send as Basic Auth header’

There are three steps the first time you use the token with the Reference Implementation:

  1. Get new access token
  2. Ensure you only have one active token (expiry every 90 mins)
  3. Use the access token in a Request (The URL is the same as before but with the https:// prefix)

Use Access Token

Send Request

Send Secure Request

Send Secure Request

Register a OAuth2 Client

Access via an OAuth2 client demonstrates how a website / mobile app could interact with an end user. The starting point for this lies in the Capability Statement (example) of a FHIR Server which indicates the location of the Authorisation Server.

Retrieve Capability Statement

The CapabilityStatement indicates secure access can be obtained by registering the client at As a demonstration of how this can be achieved using an Authorisation Server user interface, please follow this link below and log into the OAuth2 server using a Google Id by clicking on Log In (top right hand corner). CareConnect Authorisation Server

OAuth2 Login

Register to the OAuth2 Client

Select ‘Self-service client registration’ from the menu and then select ‘+ New Client’.

OAuth2 Register Client

Complete your details, for details on Access Scopes please see SMART on FHIR - Scopes and Launch Context.

OAuth2 Client Main

OAuth2 Client Access

Take a note of the client_id and client_secret they will be used to establish the secure connection. The diagram below shows a redacted screenshot of an example access token.

OAuth2 Client Secret

Current Version

Check out Versions for more information about the current released version, downloading options, use and future verions.


This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.

guide Engage Clinical scenarios User stories Case Studies Benefits Clinical inspiration Explore Impl Guide Resource Profiles API definitions Search parameters Value sets Design & Build Build APIs Search Ex. Code examples Validation tools Security examples Test Test data Security tests Reference servers Secure store Example data Assure Automated tests Test Reports Test Evidence Conformance reports Assurance checklist Deploy (Pilot) API harness Warranted environment IG / IS Spine comms Record locator Deploy (Live) Registry Monitor Support Conformance statement Extensions