Drs® Enterprise - FHIR®© API Documentation

Client Access

Client access to the Drs® FHIR API requires that the client requests credentials (user name and password) from the provider from which they intend to pull information.

The client would contact their provider and ask their Drs® system administrator to add a FHIR user account to Drs® Enterprise.

Once the credentials are obtained, the client developer would then pass the user name and password values to the following connection properties within their client application:

HTTPRequest.Username
HTTPRequest.Password

These values will then be used in every REST request to the Drs® FHIR Service.

Session Token

Client access to the Drs® FHIR API also requires that the client request a session access token from the Drs® FHIR service.
This is achieved by using the following REST call:

https://<hosturl>/FHIR/<databasename>/RequestToken

Simply stated, authentication and authorization works as follows:

1. The client requests a session access token from the FHIR service. To do this, the client must also pass valid authentication (login) credentials.  If authentication fails, the client is notified with "HTTP 401: Unauthorized" message.

2. If authentication is successful, the client is returned a session access token by the FHIR service.
 
3. The default session length is 600 seconds (10 minutes).

4. The session list is checked once every 5 seconds. If the ExpiryDateTime property is less than that of the time when service is checking the session, the session is removed from the list. If the client makes an API request after the token expires, they will receive an "HTTP 401: Not Authorized: Session Ended or Does Not Exist." message. They must then request a new token.

5. In order to prevent the same user requesting multiple sessions, the FHIR service checks for the existence of a session that is:
  a) Still active
  b) Belongs to the user that is requesting the token.
When a client requests a new session access token, if an active session is found for that client, the FHIR service does not return a new session token but allows the client to utilize the currently active session that belongs to the client.

7. If a client requests a session access token and the FHIR service has reached its designated maximum number of active sessions, the client will receive an "HTTP 503: Service Unavailable. Maximum session count has been reached. Please try again later." message.