Published on
March 17, 2025
·
Written by
Joshua Kelly

Introducing Application Access Tokens: Server-to-Server Authentication for the Flexpa FHIR API

Flexpa launches Application Access Tokens, providing server-to-server authentication for the FHIR API.

We're excited to announce the release of Application Access Tokens, a powerful new authentication method for the Flexpa FHIR API that enables secure server-to-server communication for all consenting patients.

What are Application Access Tokens?

Application Access Tokens provide application-level authentication for the Flexpa FHIR API, distinct from our Patient Access Tokens which are tied to specific patient records. This new authentication method allows developers to make API requests that aren't patient-specific, enabling more flexible integration patterns.

Built on the OAuth 2.0 Client Credentials Grant Flow, Application Access Tokens provide secure server-to-server authentication using your existing Flexpa API credentials. These tokens use the JWT format with ES256 signatures and have a 30-minute lifetime for enhanced security.

Why we built this

Until now, interacting with our FHIR API required Patient Access Tokens, which represent a specific patient's authorization to access their health records. While this model works well for patient-centered operations, we recognized that developers need additional flexibility for:

  • Backend services that perform administrative functions
  • System-level integrations that don't operate in a patient context
  • Scheduled jobs and automated processes
  • Analytics and reporting across multiple patients

Application Access Tokens address these needs by providing a direct authentication method between your application servers and Flexpa's API, without the overhead of managing individual patient authorizations.

How to use Application Access Tokens

Getting started with Application Access Tokens is simple. You'll use the same Token Endpoint as you do for refreshing Patient Access Tokens, but with the Client Credentials grant type:

// Request an Application Access Token
const response = await fetch('https://api.flexpa.com/link/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    Authorization: 'Basic ' + btoa(`${publishable_key}:${secret_key}`),
  },
  body: JSON.stringify({
    grant_type: 'client_credentials',
  }),
});

const { access_token, expires_in, token_type } = await response.json();

// Use the token for API requests
const fhirResponse = await fetch('https://api.flexpa.com/fhir/Patient', {
  headers: {
    Authorization: `Bearer ${access_token}`,
  },
});

The response will include:

  • access_token: The JWT token to use for API requests
  • expires_in: 1800 seconds (30 minutes)
  • token_type: "Bearer"

What's Next

We're continuously expanding the capabilities available through Application Access Tokens, including more administrative operations and system-level functionality. In the coming months, we'll be adding additional endpoints and capabilities that leverage this authentication method.

If you have suggestions for specific functionality you'd like to see with Application Access Tokens, we'd love to hear from you! Reach out to our support team or your Flexpa representative with your feedback.

Get started with Application Access Tokens today and unlock more flexible integration patterns with the Flexpa FHIR API.

Looking for more? Subscribe to our newsletter!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Head over to the report to read our full analysis and takeaways ->

read report

Patient-consented claims data from every health plan

get a demo
© 2024 Flexpa All Rights Reserved