OAuth 2.0 is an authorization framework—not an authentication protocol—that issues access tokens to third-party clients with the resource owner's explicit approval. It separates the client's role from the resource owner's, allowing a user to grant a SMART on FHIR application scoped access to their electronic health records without sharing their EHR password. The framework defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials, each suited to different trust scenarios.
Glossary
OAuth 2.0

What is OAuth 2.0?
OAuth 2.0 is an industry-standard authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner without exposing user credentials.
In healthcare interoperability, OAuth 2.0 serves as the security backbone for SMART on FHIR applications, enforcing scoped access where a token might permit reading only medication data while blocking access to sensitive notes. The authorization server issues JSON Web Tokens with defined scopes and expiration times, ensuring that a clinical app's access is both limited in breadth and time-bound. This delegation mechanism eliminates the anti-pattern of credential sharing, maintaining audit integrity and HIPAA compliance across federated health information exchanges.
Core Characteristics of OAuth 2.0
OAuth 2.0 is an industry-standard protocol for authorization that decouples the client application from the resource owner's credentials, enabling secure, limited access delegation. It is the foundational security layer for modern API ecosystems, including SMART on FHIR.
Delegated Authorization, Not Authentication
OAuth 2.0 is fundamentally an authorization framework, not an authentication protocol. It grants a third-party application scoped access to a protected resource on behalf of a resource owner without exposing the owner's long-term credentials (username/password).
- Analogy: A valet key for a car. The valet can drive the car (limited access) but cannot open the trunk or glove box (restricted scope) and does not possess the owner's master key.
- Mechanism: The client obtains an access token—a string representing a specific grant—rather than handling raw credentials.
- Critical Distinction: While often used with authentication protocols like OpenID Connect (OIDC), OAuth 2.0 itself answers "What is this client allowed to do?" not "Who is the user?"
Four Primary Grant Types
The OAuth 2.0 framework defines distinct authorization grant types to accommodate different client types and security postures. Each flow is optimized for a specific use case.
- Authorization Code Grant: The most secure server-side flow. The client exchanges an intermediary authorization code for an access token, keeping the token away from the user-agent (browser). Required for SMART on FHIR confidential clients.
- Client Credentials Grant: Used for machine-to-machine (M2M) communication where no user is involved. The client authenticates directly using its
client_idandclient_secret. - Device Authorization Grant: Designed for input-constrained devices (e.g., smart TVs, IoT medical devices) that lack a browser. The user authorizes the device on a secondary screen via a user code.
- Refresh Token Grant: Allows a client to obtain a new access token without re-prompting the user, using a long-lived, revocable refresh token.
Scoped Access Control
Access tokens are minted with a specific, limited scope that defines the exact permissions the client possesses. This enforces the principle of least privilege.
- Mechanism: The authorization server presents a list of scopes during the consent screen. The resource server validates the token's scope against the requested action.
- SMART on FHIR Scopes: SMART defines granular clinical scopes like
patient/Observation.readoruser/MedicationRequest.write. - Example: A scheduling app might receive a token scoped for
patient/Appointment.readandpatient/Appointment.write, but it cannot read sensitivepatient/Observationdata (lab results). - Token Introspection: Resource servers can call the introspection endpoint (RFC 7662) to verify if a token is active and what scopes it carries.
Bearer Token Usage and Security
OAuth 2.0 primarily uses Bearer tokens—a type of access token where possession of the token is sufficient to gain access. This simplicity requires strict transport-level security.
- Usage: The client presents the token in the
Authorization: Bearer <token>HTTP header. - Security Constraint: Bearer tokens MUST only be transmitted over TLS (HTTPS) to prevent eavesdropping and man-in-the-middle attacks.
- Validation: Resource servers validate the token's signature (if a JWT) or call the introspection endpoint on every request.
- Mitigation: Short token lifetimes (e.g., 5 minutes) and refresh token rotation limit the blast radius of a leaked bearer token.
Client Registration and Authentication
Before initiating any flow, the client application must be registered with the authorization server to establish a trusted identity.
- Registration: The developer provides application metadata (name, redirect URIs) and receives a
client_idand, for confidential clients, aclient_secret. - Confidential vs. Public Clients:
- Confidential Client: A server-side web app capable of securely storing a secret. Authenticates using
client_secret_postorprivate_key_jwt. - Public Client: A native mobile or single-page app unable to protect a secret. Must use PKCE (Proof Key for Code Exchange) to prevent authorization code interception.
- Confidential Client: A server-side web app capable of securely storing a secret. Authenticates using
- SMART on FHIR Requirement: SMART mandates asymmetric client authentication using JSON Web Keys (JWK) for higher assurance, moving beyond shared secrets.
Token Revocation and Lifecycle
OAuth 2.0 provides mechanisms to terminate access before a token's natural expiration, which is critical for user logout and security incident response.
- Token Revocation Endpoint (RFC 7009): Allows a client to signal to the authorization server that a specific access or refresh token should be invalidated immediately.
- Use Cases:
- User-initiated logout in a SMART on FHIR app.
- Detecting a compromised refresh token.
- Revoking consent for a specific application.
- Propagation: Revocation is not instantaneous across distributed systems; resource servers should rely on short-lived access tokens and frequent introspection to enforce revocation quickly.
Frequently Asked Questions
Clear, technical answers to the most common questions about implementing the OAuth 2.0 authorization framework within clinical workflows and SMART on FHIR environments.
OAuth 2.0 is an industry-standard authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner without exposing user credentials. The framework operates through a delegation flow where a resource owner (e.g., a clinician) authorizes a client application (e.g., a SMART on FHIR app) to access protected resources (e.g., patient records on a FHIR server) hosted by a resource server. The core mechanism involves the issuance of an access token—a cryptographically signed string representing the granted permissions—by an authorization server after successful authentication. The client presents this token to the resource server, which validates it before serving data. This decouples authentication from authorization, ensuring that the client never sees the user's password. Key flows include:
- Authorization Code Grant: The most secure flow, using a front-channel redirect to obtain a one-time code exchanged for tokens on a back-channel.
- Client Credentials Grant: Used for machine-to-machine communication where no user is involved.
- Refresh Token: A long-lived credential used to obtain new access tokens silently, avoiding repeated user logins.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Mastering OAuth 2.0 requires understanding the specific grant types, token lifecycles, and security extensions that govern delegated authorization in healthcare interoperability.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us