SMART Backend Services
OAuth flow for unattended, server-to-server access to a FHIR endpoint, bulk data and ETL.
Definition
Because there is no user or launch context, the client requests system/ scopes (e.g. system/Observation.rs) that parallel the SMART user/ scopes. The client authenticates by signing a one-time JWT assertion with its private key (RS384 or ES384) whose public key the server holds via a JWK Set. It is the authorization layer underpinning FHIR Bulk Data export.
Origin
Defined in the HL7 SMART App Launch implementation guide, "Backend Services" section (STU 2.x); it pairs with the HL7 FHIR Bulk Data Access (Flat FHIR) implementation guide.
Example in context
POST [token] grant_type=client_credentials&scope=system/*.read&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJ...
Related terms
- SMART clinical scopes — system/ scopes share its syntax.
- SMART App Launch — the user-facing companion flow.