FHIR R4 API for Patient &
Population Services
AllegianceMD's veracity standardized FHIR R4 API enables secure, interoperable access to patient health data through OAuth 2.0 and SMART-on-FHIR protocols.
Service Base URL
Production FHIR R4 endpoint and server metadata
FHIR R4 Base URL
https://fhir.allegiancemd.io/R4CapabilityStatement (metadata)
https://fhir.allegiancemd.io/R4/metadataDeveloper / Application Registration
How to register your application and obtain OAuth credentials
Registration Portal
Registration Procedure for Patient-Facing Applications
Register the application. Store your OAuth credentials securely (do not embed secrets in client-side code).
AllegianceMD will verify and approve the application.
After approval, it will be listed and activated across all clinics by default, except where a clinic opts out.
Registration Procedure for Clinical User-Facing Applications
Register the application. Store your OAuth credentials securely (do not embed secrets in client-side code).
AllegianceMD will review and approve the application.
After approval, it will be listed on the app gallery.
system-to-system (B2B) Registration Process
Contact the healthcare organization (PHI Provider) that uses Veracity as their EMR.
The Provider supplies a registration link and reviews your request.
The Provider approves or denies your registration.
If approved, your application receives OAuth client credentials (client_id and, when applicable, client_secret).
Application Verification & Transparency
Non-discriminatory verification process in accordance with the 21st Century Cures Act and 45 CFR § 170.315(g)(10), and the information blocking regulations and exceptions at 45 CFR Part 171 · Last updated February 9, 2026
In accordance with the 21st Century Cures Act and 45 CFR § 170.315(g)(10), AllegianceMD is committed to a transparent, objective, and non-discriminatory process for verifying third-party applications. We verify applications solely to ensure the security of our platform and the privacy of the patients served by our providers.
1. Verification Scope & Timeline
AllegianceMD reviews all registration requests within 10 business days after receipt of complete submission materials. Our review is limited to technical conformance and security safety. We do not evaluate an application's business model, clinical utility, or competitive status.
2. Technical Conformance Criteria
To be verified for production use, applications must meet the following objective standards:
| Criterion | Requirement |
|---|---|
| Identity | Developers must provide verifiable identity (e.g., EIN, state registration, or equivalent documentation). |
| Individual Pathway | For independent developers, a government-issued ID or equivalent identity verification documentation, plus a verified permanent address. |
| Protocol | Full support for SMART-on-FHIR (v2.0.0) and OpenID Connect. |
| Security | Mandatory use of PKCE (Proof Key for Code Exchange) for public/mobile clients. |
| Credential Safety | Applications are strictly prohibited from requesting or storing EHR user credentials (password harvesting). |
3. Privacy & Disclosure Requirements
We do not "approve" a developer's privacy practices, but we require transparency so users can make informed choices. All applications must:
| Requirement | Details |
|---|---|
| Privacy Policy | Provide a publicly accessible Privacy Policy and Terms of Service. |
| Data Practices Disclosure | Disclose retention, sharing, and revocation practices in a clear, user-accessible manner (e.g., in-app and/or prior to authorization). |
4. Performance & Fair Use Standards
To ensure the stability of the healthcare environment, all API clients must adhere to our published rate limits.
| Parameter | Value |
|---|---|
| Standard Limit | 60 requests per minute per user session |
| Throttle Response | Clients must support 429 Too Many Requests status codes and implement exponential backoff. |
| DoS Protection | AllegianceMD may temporarily suspend or throttle API access to the minimum extent necessary to mitigate an active security or performance threat and will restore access once mitigated. |
5. Non-Discrimination & Appeals
If an application fails verification, AllegianceMD will provide a written Notice of Non-Conformance detailing the specific technical criteria that were not met. Developers are invited to remediate the issues and re-submit for verification at no additional cost. We will respond to resubmissions within 5 business days.
Standards & Technology
Underlying specifications and protocols
| Component | Standard |
|---|---|
| FHIR Version | HL7 FHIR R4 (4.0.x) |
| Transport | HTTPS / TLS |
| Authorization | OAuth 2.0 (SMART-on-FHIR authorization model) |
Authorization header.OAuth 2.0 Grant Types
Supported authorization flows for application access
| Grant Type | Use Case | Client Type |
|---|---|---|
| Authorization Code | User-facing applications (patient/provider portals, mobile apps) | Public or Confidential |
| Client Credentials | Approved system-to-system integrations (backend services) | Confidential |
Public vs. Confidential Clients
Confidential clients (able to securely store secrets) may be issued a client_secret for use in authorization grants and token requests.
Public clients (unable to securely store secrets, e.g., native/mobile apps) are not issued a client_secret. They use the Authorization Code flow with PKCE as required by RFC 7636.
Refresh Tokens
Client apps using the authorization code flow may request refresh tokens by including the offline_access scope. Refresh token lifetime defaults to 90 days. Each refresh token may be used once; a replacement is issued upon use. Refresh tokens are not issued for client credentials flows.
SMART Configuration Discovery
Discover OAuth endpoints and SMART capabilities programmatically
https://fhir.allegiancemd.io/R4/.well-known/smart-configurationThis endpoint returns a JSON document containing the authorization_endpoint, token_endpoint, supported capabilities, token auth methods, scopes, grant types, and PKCE code challenge methods.
# Retrieve SMART configuration
curl -s -H "Accept: application/json" \
https://fhir.allegiancemd.io/R4/.well-known/smart-configuration | python -m json.toolAuthentication, Authorization & Scopes
User authentication and scope configuration
User Authentication
For authorization code flows, end users authenticate using credentials provided by the PHI Provider. Organizations may re-use existing patient portal or EHR credentials, mapping the authenticated user to a unique patient portal or EHR account.
Scopes
Your application requests scopes during the OAuth authorization step. Supported scopes depend on Provider configuration and the access context (patient, workforce, or system level).
Offline Access
Apps that can securely store refresh tokens may request the offline_access scope to receive a long-lived refresh token, subject to user and Provider approval.
API Documentation & Reference
Interactive tools and human-readable documentation
| Resource | URL |
|---|---|
| API Documentation | allegiancemd.com/fhir/api-doc.html |
Terms of Use
Developer agreement and usage terms
All developers must agree to the Application Access Developer Agreement prior to integration.
Support & Change Management
Getting help and staying up to date
Support & Onboarding
Start with the PHI Provider that granted your application access. The Provider administers your registration and user provisioning and can coordinate escalation to AllegianceMD as needed.
Change Management
Integrations should be designed to tolerate routine platform updates. Where changes affect API compatibility, monitor the published documentation and the /metadata CapabilityStatement for current behavior and supported features.
Quick Start — Developer Checklist
Get up and running in 5 steps
Register your application
https://fhir-register.allegiancemd.comObtain OAuth client details — client_id and client_secret (if applicable).
Discover SMART endpoints
https://fhir.allegiancemd.io/R4/.well-known/smart-configurationPerform OAuth flow — Authorization Code or Client Credentials as approved.
Call the FHIR server
https://fhir.allegiancemd.io/R4/metadatahttps://fhir.allegiancemd.io/R4/Patient/{id}Appendix A.1 — CapabilityStatement
Live, authoritative conformance declaration for the FHIR R4 server
https://fhir.allegiancemd.io/R4/metadataKey Fields
| Field | Description |
|---|---|
fhirVersion | Supported FHIR version |
rest[].resource[].type | Supported resource types |
rest[].resource[].interaction[].code | Interactions per resource (read, search-type, vread, etc.) |
rest[].resource[].searchParam[] | Supported search parameters (name, type, docs) |
rest[].resource[].operation[] | Resource-level operations ($) |
format | Supported MIME types (json, xml) |
List Supported Resource Types
# Retrieve and list all supported resource types
curl -s -H "Accept: application/fhir+json" \
https://fhir.allegiancemd.io/R4/metadata \
| python - <<'PY'
import json, sys
cs = json.load(sys.stdin)
types = set()
for rest in cs.get("rest", []):
for r in rest.get("resource", []):
t = r.get("type")
if t: types.add(t)
for t in sorted(types): print(t)
PYList Interactions Per Resource
# List interactions available for each resource type
curl -s -H "Accept: application/fhir+json" \
https://fhir.allegiancemd.io/R4/metadata \
| python - <<'PY'
import json, sys
cs = json.load(sys.stdin)
for rest in cs.get("rest", []):
for r in rest.get("resource", []):
rtype = r.get("type")
interactions = [i.get("code") for i in r.get("interaction", []) if i.get("code")]
if rtype:
print(f"{rtype}: {', '.join(interactions)}")
PY/metadata response may vary by deployment configuration. Treat it as the authoritative source of truth at connection time. If the server requires authorization for /metadata, supply an access token in the Authorization header.Appendix A.2 — SMART Discovery
Programmatic discovery of SMART-on-FHIR endpoints and capabilities
https://fhir.allegiancemd.io/R4/.well-known/smart-configurationTypical Response Fields
| Field | Description |
|---|---|
authorization_endpoint | URL for user authorization |
token_endpoint | URL for token exchange |
capabilities | SMART capabilities list |
token_endpoint_auth_methods_supported | Supported token auth methods |
scopes_supported | Published scopes (where available) |
grant_types_supported | Published grant types (where available) |
code_challenge_methods_supported | PKCE methods (S256) |
# Pretty-print SMART configuration
curl -s -H "Accept: application/json" \
https://fhir.allegiancemd.io/R4/.well-known/smart-configuration | python -m json.toolAppendix A.3 — PKCE Requirement
Proof Key for Code Exchange for authorization code flows
If your application uses the authorization code flow, PKCE is required. Use the S256 code challenge method as defined by RFC 7636.
| Step | Parameter | Sent With |
|---|---|---|
| Authorization Request | code_challenge | Authorization endpoint |
| Token Request | code_verifier | Token endpoint |
Appendix A.4 — Error Handling
HTTP status codes and OperationOutcome responses
Errors are returned as standard HTTP status codes. For FHIR-level processing errors, the server may return an OperationOutcome resource with details in the issue[] element.
Always Log
| Item | Details |
|---|---|
| HTTP Status | 401, 403, 400, 500, etc. |
| Response Headers | Including correlation / request IDs if present |
OperationOutcome.issue[] | Severity, code, diagnostics text |
Appendix A.5 — Rate Limiting / Fair Use
Handling throttling and retry behavior
If rate limits are applied, clients should honor server responses and implement exponential backoff for retryable failures. Providers may apply additional contractual or operational controls consistent with the published Terms of Use.
Appendix B — Request Examples
Minimum request examples for FHIR + OAuth
FHIR Request (Bearer Token Required)
GET https://fhir.allegiancemd.io/R4/Patient/{id}
Authorization: Bearer <access_token>
Accept: application/fhir+jsonCapabilityStatement Request
GET https://fhir.allegiancemd.io/R4/metadata
Accept: application/fhir+jsonSMART Config Request
GET https://fhir.allegiancemd.io/R4/.well-known/smart-configuration
Accept: application/json