Inferensys

Glossary

SMART Backend Services

An authorization specification for server-to-server communication, allowing a trusted client to obtain an access token for a FHIR API without direct user interaction, often used for bulk data access.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
AUTHORIZATION SPECIFICATION

What is SMART Backend Services?

An authorization specification for server-to-server communication, allowing a trusted client to obtain an access token for a FHIR API without direct user interaction, often used for bulk data access.

SMART Backend Services is an authorization specification that extends the OAuth 2.0 client credentials grant to enable secure, server-to-server communication with FHIR APIs. It allows a trusted system—such as a population health analytics engine or a machine learning pipeline—to autonomously obtain an access token and interact with clinical data repositories without requiring an interactive user login session. This mechanism is foundational for automated, non-interactive workflows like FHIR Bulk Data Access exports and cross-institutional research queries.

The specification defines a profile where a client system authenticates directly with an authorization server using a pre-registered client_id and a signed JSON Web Token (JWT) assertion, rather than a shared secret. This asymmetric cryptography approach binds the token request to a specific JWK Set URL, enabling robust key rotation and eliminating the security risks of long-lived client secrets. The resulting access token is scoped to the requesting system's identity, not an end-user, making it the standard authorization pattern for backend data integration and federated analytics.

SYSTEM-LEVEL AUTHORIZATION

Key Features of SMART Backend Services

SMART Backend Services extend the OAuth 2.0 client credentials grant to the FHIR ecosystem, enabling trusted server-to-server communication for bulk data export and population health analytics without user interaction.

02

Asymmetric JWT Authentication

Authentication relies on asymmetric cryptography using public/private key pairs. The client generates a JWT signed with its private key (RS384 or ES384), containing claims such as iss (client_id), sub (client_id), aud (token endpoint URL), and exp (expiration). The authorization server validates the signature against the client's pre-registered JSON Web Key Set (JWKS) URL, ensuring cryptographic trust without shared secrets.

03

FHIR Bulk Data Access Alignment

SMART Backend Services is the mandatory authorization mechanism for the FHIR Bulk Data Access specification. It enables population-level use cases by allowing a trusted client to request asynchronous export of large, flat datasets—such as all patients, observations, or claims—without the performance limitations of individual resource queries. The access token obtained via the backend service flow is presented as a Bearer token to initiate and poll bulk export jobs.

04

Pre-Registration and Trust Establishment

Unlike user-facing apps that can be dynamically registered, Backend Service clients require manual pre-registration with the authorization server. This out-of-band process establishes a trust relationship by exchanging the client's JWKS endpoint URL and granting a client_id. The authorization server uses this pre-configured trust to validate JWT signatures and enforce scoped access policies, making the flow suitable only for tightly controlled, vetted systems.

05

Scoped Access Control

Access tokens issued through the backend service flow are bound to pre-authorized scopes that limit what data the client can access. Typical scopes include:

  • system/*.read for read-only access to all patient-level resources
  • system/*.write for write operations
  • Granular scopes like system/Observation.read for specific resource types These scopes are negotiated during registration and enforced at the FHIR API layer, ensuring least-privilege access for automated processes.
06

Token Expiration and Rotation

Backend Service access tokens are short-lived (typically 5-15 minutes) to minimize the impact of credential leakage. The authorization server returns an expires_in field, and clients must monitor this to proactively refresh tokens. Unlike user-facing flows, there is no refresh token; the client simply generates a new signed JWT assertion and re-authenticates against the token endpoint. This stateless design simplifies server implementation while maintaining security.

AUTHORIZATION PARADIGM COMPARISON

SMART Backend Services vs. SMART on FHIR (User-Facing)

A technical comparison of the two distinct SMART authorization flows for FHIR APIs: server-to-server automation versus interactive user-facing applications.

FeatureSMART Backend ServicesSMART on FHIR (User-Facing)

Primary Use Case

Automated system-to-system data exchange without human intervention

Interactive applications requiring patient or provider login

Authorization Grant Type

OAuth 2.0 Client Credentials Grant

OAuth 2.0 Authorization Code Grant

User Interaction Required

Authentication Mechanism

Asymmetric cryptography via signed JWT assertions

User redirect to authorization server for credential entry

Typical Client Type

Trusted backend servers, ETL pipelines, analytics engines

Single-page apps, mobile apps, EHR-embedded plugins

Token Scope Granularity

System-level scopes (e.g., system/*.read)

User-level scopes tied to patient context (e.g., patient/*.read)

FHIR Bulk Data Access Support

Patient Context (launch context)

SMART BACKEND SERVICES

Frequently Asked Questions

Clarifying the authorization mechanics, security profiles, and implementation patterns for server-to-server FHIR data exchange without direct user interaction.

SMART Backend Services is an OAuth 2.0 authorization specification designed for server-to-server communication against a FHIR API, enabling a trusted client to obtain an access token without direct user interaction. The flow operates through the Client Credentials grant type, where a pre-registered client presents its client_id and a signed JSON Web Token (JWT) assertion to the authorization server's token endpoint. This JWT assertion contains claims about the client's identity, the requested scopes (often system/*.read for bulk data), and an expiration timestamp, all cryptographically signed using the client's private key. The authorization server validates the signature against the client's registered public key, verifies the claims, and issues a short-lived access token. This mechanism is the foundational authorization layer for the FHIR Bulk Data Access specification, allowing population health analytics tools and machine learning pipelines to securely extract large datasets without requiring a human to be present at a screen.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.