Backend Services

System-to-system authentication using signed JWTs for bulk data export and automated workflows.

Server-to-Server Only

No user interaction required. Backend services use client_credentials grant for automated server-to-server workflows like bulk data export.

How It Differs from Standalone Launch

Standalone Launch
  • Grant:authorization_code
  • Token TTL:1 hour (3600s)
  • Scopes:patient/ or user/
  • Refresh:Yes (90-day)
  • User:Required (login)
Backend Services
  • Grant:client_credentials
  • Token TTL:5 minutes (300s)
  • Scopes:system/
  • Refresh:No
  • User:None required

Authentication Flow

1

Generate JWT Assertion

Create and sign a JWT with RS384 using your private key. Same JWT structure as standalone launch client_assertion.

alg: RS384kid: your_key_id
2

Request Access Token

POST to the token endpoint with grant_type=client_credentials and your signed JWT as the client_assertion.

grant_type=client_credentialsclient_assertionscope=system/*.read
3

Get Token Response

eCW returns an access token valid for 5 minutes (300 seconds). No refresh token is provided.

access_tokenexpires_in=300
4

Make FHIR API Calls

Use the access token as a Bearer token. When it expires, generate a new JWT and repeat from step 1.

GET /fhir/r4/Patient — Authorization: Bearer {access_token}

Key Differences

  • grant_type is client_credentials (not authorization_code)
  • Token lifetime is 5 minutes (not 1 hour)
  • Uses system/ scopes (not patient/ or user/)
  • No refresh tokens are issued — request a new token each time
  • system/Group.read scope is required for bulk data operations