Common error codes, their causes, and resolution steps for eCW FHIR API issues.
Debugging Errors
Errors are grouped by HTTP status code. The most common issue is the 400 "FHIR app authentication is not enabled" error, which means the practice has not completed activation.
Missing required parameters in the request
A required parameter like response_type, client_id, or redirect_uri is missing or malformed.
FHIR app authentication is not enabled
The practice has not activated your app. See the Practice Activation guide.
Requested scope is invalid or not registered
The scope string is malformed, not supported, or was not registered for this app.
Wrong response_type value
The response_type is not "code". Only the authorization code flow is supported.
Client authentication failed
The client_id is not recognized or does not match any registered app.
JWT key ID does not match any key in JWKS
The "kid" header in your JWT does not match any key ID in your published JWKS endpoint.
Cannot reach JWKS URL
eCW servers cannot access your JWKS endpoint. Verify the URL is publicly accessible and responding.
JWKS URL is not in the allowed list
Your JWKS endpoint URL has not been whitelisted on eCW servers. Contact eCW support.
JWKS response is invalid
The response from your JWKS URL is not valid JSON Web Key Set format.
Access token is expired or malformed
The Bearer token in the Authorization header is expired, revoked, or not a valid JWT.
Refresh token has expired
The refresh token has passed its 90-day validity period. User must re-authorize.
Refresh token has been revoked
The refresh token was already used (single-use) or explicitly revoked.
Refresh token does not belong to this client
The refresh token was issued to a different client_id.
Authorization was denied
The eCW server encountered an internal error processing the request. May also appear as access_denied if the user denied consent.