Understanding SMART on FHIR

Last updated: Oct 30, 2025

PRODUCT OWNER

HEALTH TECH VENDOR

Redox supports app launch from an EHR system by combining single sign-on (SSO) with any following API requests all in one session. Learn more about handling app launch.

SMART on FHIR® is one of the supported authentication standards to accomplish the app launch workflow. Learn more about SMART App Launch.

Benefits of using the SMART on FHIR® standard

We make developing SMART apps easy by providing:

OAuth normalization: Redox handles minor differences in OAuth implementations.
Access token storage: Redox stores and automatically refreshes access tokens for you.
Decoupling of SSO and FHIR® API: Use SSO with SAML, SMART, or any number of other SSO schemes.

Using SMART apps with Redox allows you to quickly integrate with new EHR systems with minimal code changes.

Flow for SMART on FHIR® app launch

Follow the outline below to see how app launch works with SMART on FHIR®:

Either the patient or a provider initiates an app launch from the EHR system.
The launch URL is a Redox URL, which Redox uses to look up your Redox organization, then redirects the request to the authorization server.
The authorization server prompts the patient or provider to authorize your app—not Redox—to access the relevant data.
The patient or provider is redirected back to Redox.
Redox requests an access token and stores it securely.
Redox sends an SSO message to an SSO destination in your Redox organization. Refer to the SSO data model schema.
Your destination records the session ID and redirects to either a static page or initiates SSO.
Redox redirects the client as appropriate.
When additional FHIR® API requests are made, they should use the session ID to use the access token from step #5.

Registering your app

To use SMART apps with Redox, you must first register your app with a provider that supports SMART. Redox is compatible with any OAuth or OpenID Connect provider.

Then, check out these sandbox environments that work with Redox:

Redirect URL

Each vendor requires different information, but one requirement for any FHIR® API request is to include the callback/redirect URL: https://launch.redoxengine.com/redirect. Essentially, this tells the authorization service that it’s okay for Redox to handle the app launch with SMART on FHIR®.

Your SSO destination

For Redox to handle authorization and access tokens on your behalf, you must have an SSO destination in your Redox organization, even if you don’t have an app component. Redox generates and sends a unique session ID that you use with any FHIR® requests to Redox.

The SSO data model contains the following fields:

Field	Description
Meta.SessionID	A unique session ID that you must append to the FHIR® base URL for any FHIR® requests during the session.
Meta.SessionBaseURL	The FHIR® base URL to use for any FHIR® requests during the session.

Example: SSO data model

json

1
{
2
   "Meta": {
3
      "DataModel": "SSO",
4
      "EventType": "Sign-on",
5
      "Source": {
6
         "ID": "7ce6f387-c33c-417d-8682-81e83628cbd9",
7
         "Name": "Redox Dev Tools"
8
      },
9
      "SessionID": "abcdefghijklmnop",
10
      "SessionBaseURL": "https://api.redoxengine.com/fhir/R4/redox-fhir-sandbox/Development",
11
      ...
12
    }
13
}

Here’s an example of performing a patient search to the Redox FHIR® sandbox URL using SSO:

Example: Patient search with SSO

bash

1
curl 'https://api.redoxengine.com/fhir/R4/redox-fhir-sandbox/Development/Patient/_search?_redox_session=abcdefghijklmnop' \
2
--request POST \
3
--header 'Authorization: Bearer $API_TOKEN' \
4
--header 'Content-Type: application/x-www-form-urlencoded' \

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.