⌘K
Sign upSign in
All guides
Authentication· 4 min

API Keys & Scopes

Understand bearer token scopes, least-privilege access, and credential rotation.

  1. 1

    Choose the right credential type

    Use long-lived API keys for backend batch jobs. Use OAuth clients for SMART apps and rotating client secrets.

  2. 2

    Apply least privilege

    Request only the scopes your integration needs — FHIR read vs write, Prime ingest, identity match, etc.

  3. 3

    Rotate on schedule

    Revoke unused tokens from the portal and re-issue before expiry. Never embed secrets in client-side code.

Related