SMART Sandbox FHIR R4 API

Free, fully open FHIR R4 server loaded with synthetic patient records for app development and testing. No registration or authentication is required - read, search, create, update, and delete clinical resources such as Patient, Observation, Condition, MedicationRequest, Encounter, Immunization, and AllergyIntolerance over plain FHIR REST. Companion open endpoints exist for DSTU2 (r2.smarthealthit.org) and STU3 (r3.smarthealthit.org).

OpenAPI Specification

smarthealthit-openapi.yml Raw ↑
openapi: 3.0.3
info:
  title: SMART Health IT Sandbox FHIR APIs
  description: >-
    Public, free sandbox APIs operated by SMART Health IT (Computational
    Health Informatics Program, Boston Children's Hospital / Harvard Medical
    School) for building and testing SMART on FHIR apps. Three surfaces are
    described here. (1) The open FHIR R4 sandbox at
    https://r4.smarthealthit.org - synthetic patient records served over plain
    FHIR REST with no authentication (DSTU2 and STU3 variants exist at
    r2/r3.smarthealthit.org). (2) The SMART App Launcher's protected FHIR R4
    proxy at https://launch.smarthealthit.org/v/r4/fhir, which requires an
    OAuth 2.0 access token obtained through the HL7 SMART App Launch flow at
    /v/r4/auth/authorize and /v/r4/auth/token (no client registration
    needed). (3) The reference Bulk Data server at
    https://bulk-data.smarthealthit.org/fhir, which implements FHIR Bulk Data
    $export with SMART Backend Services JWT authentication. All data is
    synthetic; these servers are for development and testing, never real PHI.
  version: '1.0'
  contact:
    name: SMART Health IT
    url: https://smarthealthit.org
  license:
    name: Apache 2.0
    url: https://github.com/smart-on-fhir/smart-launcher-v2/blob/main/LICENSE
externalDocs:
  description: SMART on FHIR developer documentation
  url: https://docs.smarthealthit.org
servers:
  - url: https://r4.smarthealthit.org
    description: Open FHIR R4 sandbox (no authentication required)
  - url: https://launch.smarthealthit.org/v/r4/fhir
    description: SMART App Launcher protected FHIR R4 proxy (SMART App Launch OAuth 2.0)
  - url: https://bulk-data.smarthealthit.org/fhir
    description: Reference Bulk Data server (SMART Backend Services authentication)
tags:
  - name: Conformance
    description: Server capability discovery.
  - name: Patients
    description: Synthetic patient demographic records.
  - name: Clinical Records
    description: Observations, conditions, medications, encounters, allergies, and immunizations.
  - name: SMART App Launch
    description: OAuth 2.0 authorization endpoints on the SMART App Launcher.
  - name: Bulk Data
    description: FHIR Bulk Data $export operations on the reference Bulk Data server.
paths:
  /metadata:
    get:
      operationId: getCapabilityStatement
      tags:
        - Conformance
      summary: Retrieve the FHIR CapabilityStatement
      description: >-
        Returns the server's FHIR R4 CapabilityStatement. On the launcher
        proxy the security section advertises the OAuth2 SMART-on-FHIR
        service with authorize, token, and introspect extension URIs.
      security: []
      responses:
        '200':
          description: The server CapabilityStatement.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/FhirResource'
  /Patient:
    get:
      operationId: searchPatients
      tags:
        - Patients
      summary: Search patients
      description: >-
        Searches synthetic Patient resources. Supports standard FHIR search
        parameters such as name, birthdate, gender, and _count. Returns a
        searchset Bundle.
      parameters:
        - $ref: '#/components/parameters/Count'
        - name: name
          in: query
          description: Match on patient name parts.
          schema:
            type: string
        - name: birthdate
          in: query
          description: Match on date of birth (supports FHIR date prefixes such as ge/le).
          schema:
            type: string
        - name: gender
          in: query
          description: Administrative gender code.
          schema:
            type: string
      responses:
        '200':
          description: A searchset Bundle of Patient resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /Patient/{id}:
    get:
      operationId: getPatient
      tags:
        - Patients
      summary: Read a patient
      description: Reads a single synthetic Patient resource by logical id.
      parameters:
        - $ref: '#/components/parameters/ResourceId'
      responses:
        '200':
          description: The requested Patient resource.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/FhirResource'
        '404':
          $ref: '#/components/responses/NotFound'
  /Observation:
    get:
      operationId: searchObservations
      tags:
        - Clinical Records
      summary: Search observations
      description: >-
        Searches Observation resources - vital signs, lab results, and other
        measurements - typically scoped to a patient with the patient search
        parameter and filtered by category or code.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
        - name: category
          in: query
          description: Observation category (for example vital-signs or laboratory).
          schema:
            type: string
        - name: code
          in: query
          description: LOINC or other code identifying the observation.
          schema:
            type: string
      responses:
        '200':
          description: A searchset Bundle of Observation resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /Condition:
    get:
      operationId: searchConditions
      tags:
        - Clinical Records
      summary: Search conditions
      description: Searches Condition resources (problems and diagnoses) for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of Condition resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /MedicationRequest:
    get:
      operationId: searchMedicationRequests
      tags:
        - Clinical Records
      summary: Search medication requests
      description: Searches MedicationRequest resources (prescriptions and medication orders) for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of MedicationRequest resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /Encounter:
    get:
      operationId: searchEncounters
      tags:
        - Clinical Records
      summary: Search encounters
      description: Searches Encounter resources (visits and admissions) for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of Encounter resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /AllergyIntolerance:
    get:
      operationId: searchAllergyIntolerances
      tags:
        - Clinical Records
      summary: Search allergies and intolerances
      description: Searches AllergyIntolerance resources for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of AllergyIntolerance resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /Immunization:
    get:
      operationId: searchImmunizations
      tags:
        - Clinical Records
      summary: Search immunizations
      description: Searches Immunization resources (vaccination history) for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of Immunization resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /DocumentReference:
    get:
      operationId: searchDocumentReferences
      tags:
        - Clinical Records
      summary: Search document references
      description: Searches DocumentReference resources (clinical notes and documents) for a patient.
      parameters:
        - $ref: '#/components/parameters/Patient'
        - $ref: '#/components/parameters/Count'
      responses:
        '200':
          description: A searchset Bundle of DocumentReference resources.
          content:
            application/fhir+json:
              schema:
                $ref: '#/components/schemas/Bundle'
  /auth/authorize:
    servers:
      - url: https://launch.smarthealthit.org/v/r4
        description: SMART App Launcher R4 base (auth endpoints are siblings of /fhir)
    get:
      operationId: smartAuthorize
      tags:
        - SMART App Launch
      summary: SMART App Launch authorization endpoint (launcher only)
      description: >-
        OAuth 2.0 authorization endpoint on the SMART App Launcher, located
        at https://launch.smarthealthit.org/v/r4/auth/authorize (a sibling
        of the /fhir base, so this path carries its own server). Initiates the
        SMART App Launch authorization code flow with PKCE, accepting
        standard OAuth parameters plus SMART launch context (launch,
        aud/aud-validated FHIR base, and clinical scopes such as
        patient/*.read, launch/patient, openid, and fhirUser). No client
        registration is required on the sandbox.
      security: []
      parameters:
        - name: response_type
          in: query
          required: true
          schema:
            type: string
            enum:
              - code
        - name: client_id
          in: query
          required: true
          schema:
            type: string
        - name: redirect_uri
          in: query
          required: true
          schema:
            type: string
        - name: scope
          in: query
          required: true
          description: Space-separated SMART scopes, for example "launch/patient patient/*.read openid fhirUser".
          schema:
            type: string
        - name: state
          in: query
          required: true
          schema:
            type: string
        - name: aud
          in: query
          required: true
          description: The FHIR base URL the token will be used against.
          schema:
            type: string
      responses:
        '302':
          description: Redirects back to the app's redirect_uri with an authorization code.
  /auth/token:
    servers:
      - url: https://launch.smarthealthit.org/v/r4
        description: SMART App Launcher R4 base (auth endpoints are siblings of /fhir)
    post:
      operationId: smartToken
      tags:
        - SMART App Launch
      summary: SMART App Launch token endpoint (launcher only)
      description: >-
        OAuth 2.0 token endpoint on the SMART App Launcher, located at
        https://launch.smarthealthit.org/v/r4/auth/token. Exchanges an
        authorization code (with PKCE verifier) for an access token carrying
        SMART launch context (patient, encounter, fhirUser), or accepts a
        SMART Backend Services client_credentials grant with a signed JWT
        client assertion.
      security: []
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                grant_type:
                  type: string
                  enum:
                    - authorization_code
                    - client_credentials
                    - refresh_token
                code:
                  type: string
                redirect_uri:
                  type: string
                code_verifier:
                  type: string
                client_assertion_type:
                  type: string
                client_assertion:
                  type: string
                scope:
                  type: string
      responses:
        '200':
          description: An access token response with SMART context parameters.
          content:
            application/json:
              schema:
                type: object
                properties:
                  access_token:
                    type: string
                  token_type:
                    type: string
                  expires_in:
                    type: integer
                  scope:
                    type: string
                  patient:
                    type: string
                    description: Patient id in context, when launch/patient was granted.
                  encounter:
                    type: string
                  id_token:
                    type: string
  /$export:
    servers:
      - url: https://bulk-data.smarthealthit.org/fhir
        description: Reference Bulk Data server
    get:
      operationId: bulkSystemExport
      tags:
        - Bulk Data
      summary: Start a system-level bulk export (Bulk Data server only)
      description: >-
        Kicks off an asynchronous export of all resources on the reference
        Bulk Data server (https://bulk-data.smarthealthit.org/fhir).
        Requires the Prefer respond-async header and a SMART Backend
        Services access token. Responds 202 with a Content-Location status
        URL to poll (honor Retry-After); when complete, the status endpoint
        returns a manifest of NDJSON file URLs to download.
      parameters:
        - $ref: '#/components/parameters/OutputFormat'
        - $ref: '#/components/parameters/Type'
        - $ref: '#/components/parameters/Since'
      responses:
        '202':
          description: Export accepted; poll the Content-Location URL for status.
          headers:
            Content-Location:
              description: Absolute URL of the export status endpoint.
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
  /Patient/$export:
    servers:
      - url: https://bulk-data.smarthealthit.org/fhir
        description: Reference Bulk Data server
    get:
      operationId: bulkPatientExport
      tags:
        - Bulk Data
      summary: Start a patient-level bulk export (Bulk Data server only)
      description: >-
        Kicks off an asynchronous export of all data for all patients on the
        reference Bulk Data server, following the same async-request pattern
        as the system-level export.
      parameters:
        - $ref: '#/components/parameters/OutputFormat'
        - $ref: '#/components/parameters/Type'
        - $ref: '#/components/parameters/Since'
      responses:
        '202':
          description: Export accepted; poll the Content-Location URL for status.
          headers:
            Content-Location:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
  /Group/{id}/$export:
    servers:
      - url: https://bulk-data.smarthealthit.org/fhir
        description: Reference Bulk Data server
    get:
      operationId: bulkGroupExport
      tags:
        - Bulk Data
      summary: Start a group-level bulk export (Bulk Data server only)
      description: >-
        Kicks off an asynchronous export of all data for the patients in a
        Group on the reference Bulk Data server.
      parameters:
        - $ref: '#/components/parameters/ResourceId'
        - $ref: '#/components/parameters/OutputFormat'
        - $ref: '#/components/parameters/Type'
        - $ref: '#/components/parameters/Since'
      responses:
        '202':
          description: Export accepted; poll the Content-Location URL for status.
          headers:
            Content-Location:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
components:
  parameters:
    ResourceId:
      name: id
      in: path
      required: true
      description: The logical id of the resource.
      schema:
        type: string
    Patient:
      name: patient
      in: query
      description: Scope the search to a patient, for example "Patient/123" or "123".
      schema:
        type: string
    Count:
      name: _count
      in: query
      description: Maximum number of entries per page of the returned Bundle.
      schema:
        type: integer
    OutputFormat:
      name: _outputFormat
      in: query
      description: Requested bulk output format; defaults to application/fhir+ndjson.
      schema:
        type: string
    Type:
      name: _type
      in: query
      description: Comma-separated FHIR resource types to include in the export.
      schema:
        type: string
    Since:
      name: _since
      in: query
      description: Only include resources modified after this instant.
      schema:
        type: string
        format: date-time
  responses:
    NotFound:
      description: No resource exists with the given id.
      content:
        application/fhir+json:
          schema:
            $ref: '#/components/schemas/OperationOutcome'
    Unauthorized:
      description: Missing or invalid access token (protected servers only).
      content:
        application/fhir+json:
          schema:
            $ref: '#/components/schemas/OperationOutcome'
  schemas:
    FhirResource:
      type: object
      description: Any FHIR R4 resource, identified by its resourceType element.
      properties:
        resourceType:
          type: string
        id:
          type: string
      additionalProperties: true
    Bundle:
      type: object
      description: A FHIR R4 searchset Bundle.
      properties:
        resourceType:
          type: string
          enum:
            - Bundle
        type:
          type: string
        total:
          type: integer
        link:
          type: array
          items:
            type: object
            properties:
              relation:
                type: string
              url:
                type: string
        entry:
          type: array
          items:
            type: object
            properties:
              fullUrl:
                type: string
              resource:
                $ref: '#/components/schemas/FhirResource'
    OperationOutcome:
      type: object
      description: A FHIR OperationOutcome describing an error.
      properties:
        resourceType:
          type: string
          enum:
            - OperationOutcome
        issue:
          type: array
          items:
            type: object
            properties:
              severity:
                type: string
              code:
                type: string
              diagnostics:
                type: string
  securitySchemes:
    smartOnFhir:
      type: oauth2
      description: >-
        HL7 SMART App Launch OAuth 2.0 profile, used by the launcher's
        protected FHIR proxy. The open r4.smarthealthit.org sandbox requires
        no authentication; the Bulk Data server uses SMART Backend Services
        (client_credentials with a signed JWT assertion).
      flows:
        authorizationCode:
          authorizationUrl: https://launch.smarthealthit.org/v/r4/auth/authorize
          tokenUrl: https://launch.smarthealthit.org/v/r4/auth/token
          scopes:
            openid: OpenID Connect identity.
            fhirUser: Identity of the launching user as a FHIR resource.
            launch/patient: Request a patient in context at launch.
            patient/*.read: Read all resources for the patient in context.
            user/*.read: Read all resources the user can access.
            system/*.read: Backend services system-level read access.
        clientCredentials:
          tokenUrl: https://launch.smarthealthit.org/v/r4/auth/token
          scopes:
            system/*.read: Backend services system-level read access.
security:
  - smartOnFhir: []
  - {}