Constraints
Known limitations, quirks, and vendor-specific behaviors in the eCW FHIR implementation.
Vendor-Specific Behaviors
These constraints are specific to the eClinicalWorks FHIR implementation and may differ from other EHR vendors.
Known limitations, quirks, and vendor-specific behaviors in the eCW FHIR implementation.
Vendor-Specific Behaviors
These constraints are specific to the eClinicalWorks FHIR implementation and may differ from other EHR vendors.
eCW FHIR APIs do not include CORS headers. Browser-based apps must proxy API calls through a backend server.
Localhost is not supported for EHR launch URLs. However, localhost is fine as a redirect_uri for standalone apps during development.
The only supported signing algorithm for asymmetric authentication is RS384. RS256, RS512, ES256, and others are not accepted.
PKCE with S256 code challenge method is mandatory for all authorization code flows. Plain code challenges are not accepted.
Rate limited to 250 API calls per minute per practice code. Applies to FHIR APIs, /authorize, and /token endpoints. HTTP 429 when exceeded — blocked for the remainder of the minute.
Provider app access tokens last 1 hour (3600s). Backend service tokens last 5 minutes (300s).
Refresh tokens are valid for 90 days and are single-use. Each token exchange returns a new refresh token.
Your JWKS endpoint URL must be explicitly whitelisted on eCW servers. Contact eCW support to request whitelisting.