Authentication

FHIRfly supports multiple authentication methods to fit different use cases.

Authentication Methods

API Keys (Simple Credentials)

The simplest way to authenticate. Create an API key in your dashboard and include it in the x-api-key header.

curl -X GET "https://api.fhirfly.io/v1/ndc/0069-0151-01" \
  -H "x-api-key: ffly_sk_live_abc123..."

Creating an API Key

1. Go to Dashboard → Credentials
2. Click Create Credential
3. Select Simple (API Key)
4. Choose your scopes (e.g., ndc.read, npi.read)
5. Copy your API key (shown only once!)

API Key Format

ffly_sk_live_abc123...  # Production key
ffly_sk_test_abc123...  # Test/sandbox key

OAuth2 Client Credentials

For enterprise applications that need short-lived tokens and stricter security.

1. Create a Secure Credential

Create a Secure credential in your dashboard to get a client_id and client_secret.

2. Exchange for Access Token

curl -X POST "https://api.fhirfly.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=ndc:read npi:read"

3. Use the Access Token

curl -X GET "https://api.fhirfly.io/v1/ndc/0069-0151-01" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1..."

Token Lifetime

• Access tokens expire after 1 hour
• Request a new token when expired
• No refresh tokens for client credentials flow

MCP (Model Context Protocol)

Connect FHIRfly directly to AI assistants like Claude Desktop.

See MCP Integration for setup instructions.

Scopes

Scopes control what data your credential can access:

Security Best Practices

1. Never expose API keys in client-side code - Use server-side requests only
2. Rotate keys regularly - Use the dashboard to rotate compromised keys
3. Use minimal scopes - Only request the scopes you need
4. Monitor usage - Check your dashboard for unusual activity