A CapabilityStatement is a structured FHIR resource that serves as a machine-readable contract, explicitly declaring the set of capabilities a FHIR server or client supports. It details which resource types, interactions (read, create, search), search parameters, and security protocols are available, allowing other systems to dynamically discover how to interoperate without prior manual configuration.
Glossary
CapabilityStatement

What is CapabilityStatement?
A formal FHIR resource that declares the specific features, operations, and security protocols a server or client supports, enabling automated discovery and conformance verification.
This resource is fundamental to automated conformance testing and interoperability governance. By comparing a system's CapabilityStatement against a StructureDefinition or ImplementationGuide, a FHIR Validator can programmatically verify that a server meets the requirements of a specific use case, such as the US Core Implementation Guide, ensuring that federated learning nodes expose the necessary clinical data endpoints.
Key Features of a CapabilityStatement
A CapabilityStatement is a FHIR resource that formally declares the features a server or client supports, enabling automated discovery and robust contractual conformance testing between systems.
Declared RESTful Interactions
The resource explicitly enumerates which FHIR interactions a server supports for each resource type.
- read: Direct access to a known resource by its logical ID
- vread: Retrieves a specific historical version of a resource
- update: Allows a client to modify an existing resource
- delete: Removes a resource from the server
- history: Fetches the complete change log for a resource type
- create: Enables the submission of a new resource instance
- search: Defines which search parameters are indexed and queryable
This declaration allows a client to programmatically adapt its behavior without manual configuration.
Security Protocol Declaration
The rest.security element provides a machine-readable contract for authentication and authorization.
- CORS Support: Declares cross-origin resource sharing policies for browser-based apps
- Service Management: Links to the FHIR OAuth 2.0 endpoints for SMART on FHIR workflows
- Certificate Requirements: Specifies mutual TLS or PKI-based authentication needs
This section is critical for automated security negotiation, allowing a client to discover the exact token endpoint and scopes required before attempting a connection.
Resource Profile Constraints
A CapabilityStatement references specific StructureDefinitions to indicate which constrained profiles a server claims conformance to.
- US Core Profiles: Declares support for USCDI-mandated data elements
- Custom Profiles: Advertises proprietary extensions and slicing rules
- Supported Profiles: Lists canonical URLs for every profile the server validates against
This mechanism transforms a generic FHIR endpoint into a semantically precise interface, ensuring that a client sending a US Core Patient resource will be understood and processed correctly.
Operation Definition Binding
Beyond basic CRUD, the resource advertises support for extended FHIR operations.
- $validate: Checks a resource against its stated profile rules
- $expand: Requests a ValueSet to be fully enumerated for a drop-down UI
- $match: Performs patient matching for master person index deduplication
- $everything: Fetches a complete patient record graph in a single bundle
Each operation is bound to a specific resource context, allowing a client to discover that, for example, Patient/$match is available for probabilistic identity resolution.
Messaging Event Support
For event-driven architectures, the CapabilityStatement defines the FHIR messaging events a system can send or receive.
- Event Catalog: Lists specific event codes like
patient-linkorobservation-created - MessageHeader Profiles: Specifies the exact bundle structure expected for each event
- Endpoint Declarations: Provides the destination URL for message delivery
This section enables loose coupling between clinical systems, where a laboratory system can discover exactly which admission-discharge-transfer events a subscribing EHR supports.
Document Composition Rules
The document element declares the FHIR document bundles a system can produce or consume.
- Clinical Document Architecture (CDA) Replacement: Defines FHIR-based clinical notes
- Composition Profiles: Specifies the exact section structure and coded headings
- Digital Signature Support: Indicates whether documents are cryptographically signed
This allows a document consumer to validate that a received Continuity of Care Document (CCD) conforms to the expected template before attempting to parse it for clinical data.
Frequently Asked Questions
Essential questions about the FHIR CapabilityStatement resource, the foundational metadata document that enables automated interoperability by declaring a server's supported resources, operations, and security protocols.
A CapabilityStatement is a FHIR resource that functions as a machine-readable contract, explicitly declaring the set of capabilities a FHIR server or client supports. It answers the critical question: 'What can this endpoint do?' without requiring out-of-band human negotiation.
For interoperability, it is essential because it enables:
- Automated Discovery: Client applications can programmatically determine which resources (e.g., Patient, Observation), operations (e.g.,
$validate,$everything), and interaction types (e.g.,create,search) are available. - Security Metadata: It advertises supported authorization protocols like SMART on FHIR and OAuth 2.0 endpoints via the
rest.securityelement. - Version Negotiation: It specifies the exact FHIR version (
fhirVersionelement) supported, preventing version mismatch errors.
In a federated learning context, a central aggregator uses the CapabilityStatement of each hospital's FHIR server to dynamically discover which endpoints support the FHIR Bulk Data Access operations needed to export de-identified training datasets.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A CapabilityStatement is the machine-readable contract of a FHIR server. The following concepts define the resources, profiles, and security protocols it declares.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us