Standalone Launch

Complete 8-step OAuth 2.0 authorization code flow with PKCE for apps launched outside the EHR.

SMART App Launch

The standalone launch flow follows the SMART App Launch Framework with PKCE (S256). The app initiates the OAuth 2.0 authorization code flow without an EHR context.

1

Authorization Request

App constructs an authorization URL and redirects the user's browser to the eCW authorization server.

response_type=codeclient_idredirect_uriscopestateaudcode_challenge (S256)
2

User Login & Consent

User authenticates and authorizes the requested scopes.

Provider Apps

eCW EHR login page

Patient Apps

healow login page

3

Authorization Code

eCW redirects back to your app's redirect_uri with a short-lived authorization code and the state parameter for CSRF verification.

codestate
4

Token Exchange

App POSTs to the token endpoint with the authorization code, a signed JWT client assertion (RS384), and the PKCE code verifier.

grant_type=authorization_codecodeclient_assertioncode_verifier
5

Token Response

eCW returns the access token, refresh token, ID token, and metadata about the session.

access_tokenrefresh_tokenid_tokenexpires_in=3600
6

FHIR API Calls

Use the access token as a Bearer token in the Authorization header to make FHIR R4 API requests.

GET /fhir/r4/Patient/{id} — Authorization: Bearer {access_token}
7

Refresh Token Request

When the access token expires (after 1 hour), exchange the refresh token for a new token pair. A new client_assertion JWT is required.

grant_type=refresh_tokenrefresh_tokenclient_assertion
8

New Tokens

eCW returns a new access token and a new refresh token. The old refresh token is invalidated and cannot be reused.

Refresh tokens are single-use. The old token is invalidated when a new one is issued. Store the new refresh token immediately.

Flow Legend

Client (Your App)
Server (eCW)
User (Provider/Patient)