openapi: 3.0.3 info: title: SMART Health IT Sandbox FHIR APIs description: >- Public, free sandbox APIs operated by SMART Health IT (Computational Health Informatics Program, Boston Children's Hospital / Harvard Medical School) for building and testing SMART on FHIR apps. Three surfaces are described here. (1) The open FHIR R4 sandbox at https://r4.smarthealthit.org - synthetic patient records served over plain FHIR REST with no authentication (DSTU2 and STU3 variants exist at r2/r3.smarthealthit.org). (2) The SMART App Launcher's protected FHIR R4 proxy at https://launch.smarthealthit.org/v/r4/fhir, which requires an OAuth 2.0 access token obtained through the HL7 SMART App Launch flow at /v/r4/auth/authorize and /v/r4/auth/token (no client registration needed). (3) The reference Bulk Data server at https://bulk-data.smarthealthit.org/fhir, which implements FHIR Bulk Data $export with SMART Backend Services JWT authentication. All data is synthetic; these servers are for development and testing, never real PHI. version: '1.0' contact: name: SMART Health IT url: https://smarthealthit.org license: name: Apache 2.0 url: https://github.com/smart-on-fhir/smart-launcher-v2/blob/main/LICENSE externalDocs: description: SMART on FHIR developer documentation url: https://docs.smarthealthit.org servers: - url: https://r4.smarthealthit.org description: Open FHIR R4 sandbox (no authentication required) - url: https://launch.smarthealthit.org/v/r4/fhir description: SMART App Launcher protected FHIR R4 proxy (SMART App Launch OAuth 2.0) - url: https://bulk-data.smarthealthit.org/fhir description: Reference Bulk Data server (SMART Backend Services authentication) tags: - name: Conformance description: Server capability discovery. - name: Patients description: Synthetic patient demographic records. - name: Clinical Records description: Observations, conditions, medications, encounters, allergies, and immunizations. - name: SMART App Launch description: OAuth 2.0 authorization endpoints on the SMART App Launcher. - name: Bulk Data description: FHIR Bulk Data $export operations on the reference Bulk Data server. paths: /metadata: get: operationId: getCapabilityStatement tags: - Conformance summary: Retrieve the FHIR CapabilityStatement description: >- Returns the server's FHIR R4 CapabilityStatement. On the launcher proxy the security section advertises the OAuth2 SMART-on-FHIR service with authorize, token, and introspect extension URIs. security: [] responses: '200': description: The server CapabilityStatement. content: application/fhir+json: schema: $ref: '#/components/schemas/FhirResource' /Patient: get: operationId: searchPatients tags: - Patients summary: Search patients description: >- Searches synthetic Patient resources. Supports standard FHIR search parameters such as name, birthdate, gender, and _count. Returns a searchset Bundle. parameters: - $ref: '#/components/parameters/Count' - name: name in: query description: Match on patient name parts. schema: type: string - name: birthdate in: query description: Match on date of birth (supports FHIR date prefixes such as ge/le). schema: type: string - name: gender in: query description: Administrative gender code. schema: type: string responses: '200': description: A searchset Bundle of Patient resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /Patient/{id}: get: operationId: getPatient tags: - Patients summary: Read a patient description: Reads a single synthetic Patient resource by logical id. parameters: - $ref: '#/components/parameters/ResourceId' responses: '200': description: The requested Patient resource. content: application/fhir+json: schema: $ref: '#/components/schemas/FhirResource' '404': $ref: '#/components/responses/NotFound' /Observation: get: operationId: searchObservations tags: - Clinical Records summary: Search observations description: >- Searches Observation resources - vital signs, lab results, and other measurements - typically scoped to a patient with the patient search parameter and filtered by category or code. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' - name: category in: query description: Observation category (for example vital-signs or laboratory). schema: type: string - name: code in: query description: LOINC or other code identifying the observation. schema: type: string responses: '200': description: A searchset Bundle of Observation resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /Condition: get: operationId: searchConditions tags: - Clinical Records summary: Search conditions description: Searches Condition resources (problems and diagnoses) for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of Condition resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /MedicationRequest: get: operationId: searchMedicationRequests tags: - Clinical Records summary: Search medication requests description: Searches MedicationRequest resources (prescriptions and medication orders) for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of MedicationRequest resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /Encounter: get: operationId: searchEncounters tags: - Clinical Records summary: Search encounters description: Searches Encounter resources (visits and admissions) for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of Encounter resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /AllergyIntolerance: get: operationId: searchAllergyIntolerances tags: - Clinical Records summary: Search allergies and intolerances description: Searches AllergyIntolerance resources for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of AllergyIntolerance resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /Immunization: get: operationId: searchImmunizations tags: - Clinical Records summary: Search immunizations description: Searches Immunization resources (vaccination history) for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of Immunization resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /DocumentReference: get: operationId: searchDocumentReferences tags: - Clinical Records summary: Search document references description: Searches DocumentReference resources (clinical notes and documents) for a patient. parameters: - $ref: '#/components/parameters/Patient' - $ref: '#/components/parameters/Count' responses: '200': description: A searchset Bundle of DocumentReference resources. content: application/fhir+json: schema: $ref: '#/components/schemas/Bundle' /auth/authorize: servers: - url: https://launch.smarthealthit.org/v/r4 description: SMART App Launcher R4 base (auth endpoints are siblings of /fhir) get: operationId: smartAuthorize tags: - SMART App Launch summary: SMART App Launch authorization endpoint (launcher only) description: >- OAuth 2.0 authorization endpoint on the SMART App Launcher, located at https://launch.smarthealthit.org/v/r4/auth/authorize (a sibling of the /fhir base, so this path carries its own server). Initiates the SMART App Launch authorization code flow with PKCE, accepting standard OAuth parameters plus SMART launch context (launch, aud/aud-validated FHIR base, and clinical scopes such as patient/*.read, launch/patient, openid, and fhirUser). No client registration is required on the sandbox. security: [] parameters: - name: response_type in: query required: true schema: type: string enum: - code - name: client_id in: query required: true schema: type: string - name: redirect_uri in: query required: true schema: type: string - name: scope in: query required: true description: Space-separated SMART scopes, for example "launch/patient patient/*.read openid fhirUser". schema: type: string - name: state in: query required: true schema: type: string - name: aud in: query required: true description: The FHIR base URL the token will be used against. schema: type: string responses: '302': description: Redirects back to the app's redirect_uri with an authorization code. /auth/token: servers: - url: https://launch.smarthealthit.org/v/r4 description: SMART App Launcher R4 base (auth endpoints are siblings of /fhir) post: operationId: smartToken tags: - SMART App Launch summary: SMART App Launch token endpoint (launcher only) description: >- OAuth 2.0 token endpoint on the SMART App Launcher, located at https://launch.smarthealthit.org/v/r4/auth/token. Exchanges an authorization code (with PKCE verifier) for an access token carrying SMART launch context (patient, encounter, fhirUser), or accepts a SMART Backend Services client_credentials grant with a signed JWT client assertion. security: [] requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object properties: grant_type: type: string enum: - authorization_code - client_credentials - refresh_token code: type: string redirect_uri: type: string code_verifier: type: string client_assertion_type: type: string client_assertion: type: string scope: type: string responses: '200': description: An access token response with SMART context parameters. content: application/json: schema: type: object properties: access_token: type: string token_type: type: string expires_in: type: integer scope: type: string patient: type: string description: Patient id in context, when launch/patient was granted. encounter: type: string id_token: type: string /$export: servers: - url: https://bulk-data.smarthealthit.org/fhir description: Reference Bulk Data server get: operationId: bulkSystemExport tags: - Bulk Data summary: Start a system-level bulk export (Bulk Data server only) description: >- Kicks off an asynchronous export of all resources on the reference Bulk Data server (https://bulk-data.smarthealthit.org/fhir). Requires the Prefer respond-async header and a SMART Backend Services access token. Responds 202 with a Content-Location status URL to poll (honor Retry-After); when complete, the status endpoint returns a manifest of NDJSON file URLs to download. parameters: - $ref: '#/components/parameters/OutputFormat' - $ref: '#/components/parameters/Type' - $ref: '#/components/parameters/Since' responses: '202': description: Export accepted; poll the Content-Location URL for status. headers: Content-Location: description: Absolute URL of the export status endpoint. schema: type: string '401': $ref: '#/components/responses/Unauthorized' /Patient/$export: servers: - url: https://bulk-data.smarthealthit.org/fhir description: Reference Bulk Data server get: operationId: bulkPatientExport tags: - Bulk Data summary: Start a patient-level bulk export (Bulk Data server only) description: >- Kicks off an asynchronous export of all data for all patients on the reference Bulk Data server, following the same async-request pattern as the system-level export. parameters: - $ref: '#/components/parameters/OutputFormat' - $ref: '#/components/parameters/Type' - $ref: '#/components/parameters/Since' responses: '202': description: Export accepted; poll the Content-Location URL for status. headers: Content-Location: schema: type: string '401': $ref: '#/components/responses/Unauthorized' /Group/{id}/$export: servers: - url: https://bulk-data.smarthealthit.org/fhir description: Reference Bulk Data server get: operationId: bulkGroupExport tags: - Bulk Data summary: Start a group-level bulk export (Bulk Data server only) description: >- Kicks off an asynchronous export of all data for the patients in a Group on the reference Bulk Data server. parameters: - $ref: '#/components/parameters/ResourceId' - $ref: '#/components/parameters/OutputFormat' - $ref: '#/components/parameters/Type' - $ref: '#/components/parameters/Since' responses: '202': description: Export accepted; poll the Content-Location URL for status. headers: Content-Location: schema: type: string '401': $ref: '#/components/responses/Unauthorized' components: parameters: ResourceId: name: id in: path required: true description: The logical id of the resource. schema: type: string Patient: name: patient in: query description: Scope the search to a patient, for example "Patient/123" or "123". schema: type: string Count: name: _count in: query description: Maximum number of entries per page of the returned Bundle. schema: type: integer OutputFormat: name: _outputFormat in: query description: Requested bulk output format; defaults to application/fhir+ndjson. schema: type: string Type: name: _type in: query description: Comma-separated FHIR resource types to include in the export. schema: type: string Since: name: _since in: query description: Only include resources modified after this instant. schema: type: string format: date-time responses: NotFound: description: No resource exists with the given id. content: application/fhir+json: schema: $ref: '#/components/schemas/OperationOutcome' Unauthorized: description: Missing or invalid access token (protected servers only). content: application/fhir+json: schema: $ref: '#/components/schemas/OperationOutcome' schemas: FhirResource: type: object description: Any FHIR R4 resource, identified by its resourceType element. properties: resourceType: type: string id: type: string additionalProperties: true Bundle: type: object description: A FHIR R4 searchset Bundle. properties: resourceType: type: string enum: - Bundle type: type: string total: type: integer link: type: array items: type: object properties: relation: type: string url: type: string entry: type: array items: type: object properties: fullUrl: type: string resource: $ref: '#/components/schemas/FhirResource' OperationOutcome: type: object description: A FHIR OperationOutcome describing an error. properties: resourceType: type: string enum: - OperationOutcome issue: type: array items: type: object properties: severity: type: string code: type: string diagnostics: type: string securitySchemes: smartOnFhir: type: oauth2 description: >- HL7 SMART App Launch OAuth 2.0 profile, used by the launcher's protected FHIR proxy. The open r4.smarthealthit.org sandbox requires no authentication; the Bulk Data server uses SMART Backend Services (client_credentials with a signed JWT assertion). flows: authorizationCode: authorizationUrl: https://launch.smarthealthit.org/v/r4/auth/authorize tokenUrl: https://launch.smarthealthit.org/v/r4/auth/token scopes: openid: OpenID Connect identity. fhirUser: Identity of the launching user as a FHIR resource. launch/patient: Request a patient in context at launch. patient/*.read: Read all resources for the patient in context. user/*.read: Read all resources the user can access. system/*.read: Backend services system-level read access. clientCredentials: tokenUrl: https://launch.smarthealthit.org/v/r4/auth/token scopes: system/*.read: Backend services system-level read access. security: - smartOnFhir: [] - {}