Security & Authentication

Enterprise security architecture — OAuth 2.0, SMART on FHIR, RBAC, MFA, encryption, audit logging

Authentication Methods

OAuth 2.0 (Client Credentials)

Machine-to-machine. client_id + client_secret → access_token. Used by CMS partners and service integrations.

cms.fhir.r4.readcms.fhir.bundle.push

SMART on FHIR

SMART App Launch Framework. Standalone + EHR launch. Patient and user scopes.

patient/Patient.readuser/*.write

Bearer Token (JWT)

RS256-signed JWT. Contains tenant_id, org_id, roles, and scopes. 1-hour expiry.

system/*dashboard:read

Service Key

Internal service-to-service auth via X-Apex-Service-Key header.

identity.resolveidentity.merge

ID.me OAuth 2.0

Identity verification for patient portal. OIDC-compliant with openid scope.

openid

API Key

Simple API key for rate-limited public endpoints.

npi.searchnpi.lookup

Multi-Factor Authentication

TOTP

Google Authenticator / Authy

Email Verification

6-digit verification code

WebAuthn / FIDO2

Hardware security keys (YubiKey)

Backup Codes

Single-use recovery codes

Role-Based Access Control

admindoctornursereceptionistpayerauditorclinical_researcheriam_adminapi_developerpatientpharmacistexecutivecontractorathletecoachnutritionist

Enforcement

@role_required@permission_required@provider_required@scope_required

Encryption

Field-LevelFernet (AES-256)

JWT SigningRS256 (RSA)

SHC SigningES256 (ECDSA)

TransportTLS 1.2+

SecretsGCP Secret Manager

Passwordbcrypt (12 rounds)

Session Security

CookieSecure, HttpOnly, SameSite=Lax

Session Lifetime8 hours (work shift)

Idle Timeout30 minutes

CSRF ProtectionEnabled (all forms)

Max Body Size50MB

Brute-ForceProgressive lockout

Security Headers

HSTSmax-age=63072000; includeSubDomains; preload

X-Content-Typenosniff

X-Frame-OptionsDENY

X-XSS-Protection1; mode=block

Referrer-Policystrict-origin-when-cross-origin

CSPdefault-src self; script-src self

Compliance Frameworks

HIPAA

Compliant

Business Associate Agreements, PHI encryption, audit logging

SOC 2 Type II

Certified

Security, Availability, Processing Integrity, Confidentiality, Privacy

HITRUST CSF

Mapped

14 control categories, 49 objectives, 156 control specifications

ISO 27001

Aligned

Information security management system (ISMS)

GDPR

Compatible

Data subject rights, consent management, DPO appointment

OAuth 2.0 Client Credentials Flow

1. Request Token

POST /oauth/token HTTP/1.1
Host: api.parkerapex.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=clt_abc123
&client_secret=your_secret
&scope=cms.fhir.r4.read cms.fhir.bundle.push

2. Response (200 OK)

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "cms.fhir.r4.read cms.fhir.bundle.push",
  "issued_at": "2026-04-09T12:00:00Z"
}