⌘K
Sign upSign in

Scope Reference

Complete catalog of OAuth 2.0, SMART on FHIR, and API key scopes — what each grants access to, which products use it, and example endpoints.

Create API Key Scope guideOAuth registration

40

Total Scopes

10

Categories

12

SMART Scopes

11

Partner Self-Service

Least-privilege principle

Request only the scopes your integration needs. FHIR read scopes do not grant write access. SMART patient scopes are limited to the authorized patient context. Rotate credentials on schedule from My Tokens & Keys.

FHIR Platform

cms.fhir.r4.read

Read FHIR R4 resources — Patient, Observation, Condition, Encounter, and related clinical types.

GET /fhir/R4/{ResourceType}GET /fhir/R4/{ResourceType}/{id}
API KeyOAuth 2.0
APEX NexusFHIR Data Lake
cms.fhir.r5.read

Read FHIR R5 resources where supported on the gateway.

GET /fhir/R5/{ResourceType}
API KeyOAuth 2.0
APEX Nexus
cms.fhir.bundle.push

Submit FHIR transaction or batch Bundles for ingest and upsert.

POST /fhir/R4
API KeyOAuth 2.0
APEX NexusBeacon Ingest
cms.fhir.rest.write

Create, update, and delete individual FHIR resources via REST.

POST /fhir/R4/{ResourceType}PUT /fhir/R4/{ResourceType}/{id}
API KeyOAuth 2.0
APEX NexusSightlineOdonto
cms.shc.verify

Verify SMART Health Card JWS payloads and immunization credentials.

POST /beacon/shc/verify
API KeyOAuth 2.0
Beacon Ingest
cms.shl.create

Generate SMART Health Links for credential sharing.

POST /beacon/shl/create
API KeyOAuth 2.0
Beacon Ingest
cms.shl.resolve

Resolve SMART Health Links to underlying FHIR payloads.

GET /beacon/shl/{id}
API KeyOAuth 2.0
Beacon Ingest

SMART on FHIR

patient/Patient.read

Read Patient resources in patient-facing SMART apps.

GET /fhir/R4/Patient/{id}
SMART on FHIR
APEX Nexus
patient/Observation.read

Read Observation resources (vitals, labs) for the authorized patient.

GET /fhir/R4/Observation
SMART on FHIR
APEX NexusPrime
patient/*.read

Read all patient-scoped FHIR resource types for the authorized patient context.

SMART on FHIR
APEX Nexus
user/Patient.read

Read Patient resources on behalf of an authenticated clinician user.

SMART on FHIR
APEX Nexus
user/*.write

Write FHIR resources on behalf of an authenticated clinician user.

SMART on FHIR
APEX Nexus
launch/patient

SMART EHR launch with patient context.

SMART on FHIR
APEX Nexus
launch-ehr

SMART App Launch from within the EHR workflow.

SMART on FHIR
APEX Nexus
fhirUser

OpenID Connect identity of the FHIR user (Practitioner).

SMART on FHIR
APEX Nexus
offline_access

Refresh token for long-lived SMART sessions.

SMART on FHIR
APEX Nexus

Identity & GPID

cms.identity.match

Match patient demographics against the GPID registry (read-only, no create).

POST /api/identity/match
API KeyOAuth 2.0
Identity & GPID
cms.identity.resolve

Resolve or create GPID records from verified demographics.

POST /api/identity/resolve
API KeyOAuth 2.0
Identity & GPID
identity.merge

Merge duplicate GPID records (requires approval workflow).

POST /api/identity/merge
Service KeyOAuth 2.0
Identity & GPID
identity.split

Split an incorrectly merged GPID record.

POST /api/identity/split
Service KeyOAuth 2.0
Identity & GPID

Plexus IAM

plexus.gpid.admin

Administrative GPID lifecycle operations via Plexus IAM.

POST /plexus/gpid/*
OAuth 2.0
Plexus IAM

Prime Wearables

prime.ingest.write

Ingest wearable vendor telemetry events.

POST /prime/v1/wearables/events
API KeyOAuth 2.0
Prime Wearables
prime.ingest.read

Read ingest status and pipeline health for Prime events.

GET /prime/v1/health
API KeyOAuth 2.0
Prime Wearables
prime.fhir.observation.write

Write normalized FHIR Observations from wearable data.

API KeyOAuth 2.0
Prime Wearables
prime.fhir.device.write

Register wearable Device resources linked to patient GPID.

API KeyOAuth 2.0
Prime Wearables
prime.alerts.read

Read readiness and biometric alert notifications.

API KeyOAuth 2.0
Prime Wearables

Horizon Analytics

horizon.query

Execute semantic / natural-language queries against the federated data layer.

POST /horizon/v1/query/nlPOST /horizon/v1/query/execute
OAuth 2.0
Horizon Analytics
horizon.score

Compute Horizon risk stratification scores for a GPID.

POST /horizon/v1/horizon-score/compute
OAuth 2.0
Horizon Analytics

TEFCA Exchange

tefca.xcpd.read

Outbound XCPD patient discovery at external QHIN partners.

POST /tefca/xcpd/search
OAuth 2.0
TEFCA Gateway
tefca.xcpd.write

Inbound XCPD patient discovery from external QHIN participants.

POST /tefca/xcpd/discover
OAuth 2.0
TEFCA Gateway
tefca.xca.read

Outbound XCA document/resource query at external QHIN partners.

POST /tefca/xca/search
OAuth 2.0
TEFCA Gateway
tefca.xca.write

Inbound XCA resource query from external QHIN participants.

POST /tefca/xca/query
OAuth 2.0
TEFCA Gateway

Velocity RCM

velocity.clearinghouse.eligibility

Real-time 270/271 eligibility checks via Stedi clearinghouse.

POST /velocity/v1/clearinghouse/eligibility
OAuth 2.0
Velocity RCM
velocity.clearinghouse.claims.read

276/277 claim status inquiries via Stedi.

POST /velocity/v1/clearinghouse/claims/status
OAuth 2.0
Velocity RCM
velocity.clearinghouse.claims.write

837P professional claim submission via Stedi.

POST /velocity/v1/clearinghouse/claims/submit
OAuth 2.0
Velocity RCM

CMS & Partners

cms.pipeline.read

Read partner pipeline health, sync rates, and webhook delivery metrics.

GET /cms/partners/pipeline
API KeyOAuth 2.0
CMS Ecosystem
cms.sdk.read

Read SDK catalog metadata and integration documentation.

API KeyOAuth 2.0
CMS Ecosystem

System & Bulk

system/*.read

Backend Services bulk read — required for FHIR $export jobs.

GET /fhir/R4/$export
SMART on FHIROAuth 2.0
APEX NexusFHIR Data Lake
system/Patient.read

Backend Services read access to Patient resources for bulk export.

GET /fhir/R4/$export?_type=Patient
SMART on FHIROAuth 2.0
APEX Nexus
system/*.write

Backend Services write for system-level FHIR Bundle submission.

POST /fhir/R4
SMART on FHIROAuth 2.0
APEX Nexus