Medtech ALEX® Implementation Guide
0.0.1 - draft
Medtech ALEX® Implementation Guide
0.0.1 - draft
Medtech ALEX® Implementation Guide - Local Development build (v0.0.1) built by the FHIR (HL7® FHIR® Standard) Build Tools. See the Directory of published versions
This document covers the Authentication process, Request Message details and Error Messages that will be required to integrate with Medtech’s FHIR® API Solution (ALEX).
In order for a vendor application to make requests to the Medtech FHIR® API, a valid access token must be included in the requests. To obtain an access token, an authentication request is made to the identity provider service and the returned access token is then included in the headers of subsequent requests to the Medtech FHIR® API.
To obtain an access token an authentication request is sent to the identity provider.
Medtech uses the following Microsoft Azure AD identity provider across all environments:
https://login.microsoftonline.com/8a024e99-aba3-4b25-b875-28b0c0ca6096/oauth2/v2.0/token
A request needs to be made to the identity provider /token endpoint to request an access_token.
Example Request:
curl --request POST 'https://login.microsoftonline.com/8a024e99-aba3-4b25-b875-28b0c0ca6096/oauth2/v2.0/token'\
--form 'Client_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"' \
--form 'Client_secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"' \
--form 'Grant_type="client_credentials"' \
--form 'Scope="api://bf0c0db0-08e7-4ed8-bb85-8d5676869424/.default"'
| Form value | Example | Description |
|---|---|---|
| client_id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx | Unique identifier of the vendor application. Provided to the vendor by Medtech. |
| client_secret | xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | Secret associated with above unique identifier. Provided to the vendor by Medtech. |
| scope | api://bf0c0db0-08e7-4ed8-bb85-8d5676869424/.default | Unique identifier of the Medtech FHIR® API. Provided to the vendor by Medtech. |
| grant_type | client_credentials | This is the only supported grant type |
Example Response:
If the request was accepted, the identity provider will provide a response containing the access token. The access token can now be used to make requests to the Medtech FHIR® API.
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVPZjlQNUY5Z0NDd0NtRjJCT0hIeEREUS1EayIsImtpZCI6IjVPZjlQNUY5Z0NDd0NtRjJCT0hIeEREUS1EayJ9.eyJhdWQiOiJhcGk6Ly9iZjBjMGRiMC0wOGU3LTRlZDgtYmI4NS04ZDU2NzY4Njk0MjQiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84YTAyNGU5OS1hYmEzLTRiMjUtYjg3NS0yOGIwYzBjYTYwOTYvIiwiaWF0IjoxNjA5ODg5OTUxLCJuYmYiOjE2MDk4ODk5NTEsImV4cCI6MTYwOTg5Mzg1MSwiYWlvIjoiRTJKZ1lIQTBtbVlwdHZuenBUbVMvN1k5WFhEMEh3QT0iLCJhcHBpZCI6IjU4OWI5ZTdmLTQ0M2QtNGEyOS1hOTg0LThmOWU5OGM3NjZiMyIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzhhMDI0ZTk5LWFiYTMtNGIyNS1iODc1LTI4YjBjMGNhNjA5Ni8iLCJvaWQiOiJhMDBjMjJkZi04MzFhLTRmZmYtYjkwMy00MGEyOTdlZjQ1MzAiLCJyaCI6IjAuQUFBQW1VNENpcU9ySlV1NGRTaXd3TXBnbG4tZW0xZzlSQ2xLcVlTUG5wakhack5uQUFBLiIsInJvbGVzIjpbIlBhdGllbnQuUmVhZCJdLCJzdWIiOiJhMDBjMjJkZi04MzFhLTRmZmYtYjkwMy00MGEyOTdlZjQ1MzAiLCJ0aWQiOiI4YTAyNGU5OS1hYmEzLTRiMjUtYjg3NS0yOGIwYzBjYTYwOTYiLCJ1dGkiOiJPaWdMRVJmcUNrcVV6LUswMVZzWkFRIiwidmVyIjoiMS4wIn0.PeymJWgxMJFhqFzjqQjz89kblMUhAqLs0x996w3CukzTZEUb6W2gvXa0zIP-1_WayIsvQzGPrWH77BwLAMwr_xA3UuLVIcx34wHlCscCHfwpFWWiLkISAD6W6yal8SjAQSb5YLIt37HOyj4lBMviEN5W_GtGPXfBsW35XZzNwIiXU_xqxEAZ9HXp1kVyHZgJAirNxOhWveGsj2zCM56LKW-eZvl- LzlJquWOaR6W3EsRvd2aeuqVhHmSG2PXwvivUeD9LxVb _voI9B0Bymunc1BaK50AcvAg Wl5ULVFvaJ6UljsAUl22e97izWZ-fDNk8SzrBOjvI4U6JLfUeNQaoQ"
}
The access_token which was obtained from the identity provider can now be used to make authenticated requests to the Medtech FHIR® API.
Depending on which environment is being accessed e.g. UAT / PRODUCTION, the host name will vary. The Authorization header should now be added to every request, with the value of the access token prefixed by "Bearer ".
| Request header | Example | Description |
|---|---|---|
| Authorization | Bearer xxxxxxxxxxx | (Required) JWT, issued by AAD, required for every request |
| Content-Type | application/fhir+json | (Required) Content format |
| mt-facilityid | 1234556 | (Required) Facility ID for which the request is intended |
| mt-correlationid | 832b611a-7da9-11ee-b962-0242ac120002 | Correlation ID for debugging and tracing requests. This should be set to a guid that the API consumer has knowledge of |
| Environment | Audience | API Endpoint URL |
|---|---|---|
| UAT (Sandbox) | Vendors for Development and Test | https://alexapiuat.medtechglobal.com/FHIR |
| Production | Vendors for Production use | https://alexapi.medtechglobal.com/FHIR |
To make requests to these environments, a static IP address must be provided as part of the onboarding process. Requests to the API must come from a known IP address in the allowlist to be accepted.