Close icon

Get your ZapEHR account

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Enhance App Security with ZapEHR's Managed Authentication Service: Introducing The App Service

June 22, 2023

Last week marked the release of Zap Apps, a service provided by zapEHR that plays a crucial role in the development of user-facing healthcare applications. What sets Zap Apps apart is its ability to provide compliant backend APIs right out of the box, empowering developers to build healthcare apps with enhanced speed and quality.

To ensure secure invocation of zapEHR APIs, user authentication is a prerequisite. When users log into your zapEHR Application, they are granted an authentication token that serves as their unique identifier when interacting with zapEHR's APIs. This token ensures that your application knows they are authorized to access the necessary resources.

A notable feature of zapEHR is its Access Policies, which allow you to configure API access constraints for every user and role within your zapEHR project. For instance, Access Policies can be employed to restrict a patient's account so that they can only retrieve data directly related to them, leveraging the FHIR Patient Compartment.

An example of zapEHR in action involves PM Pediatric Care, which utilizes the zapEHR App Service to secure their Behavioral Health Intake Dashboard. Upon visiting the dashboard, users are directed to a login page hosted on After successful authentication, users are seamlessly brought to a page that interacts with zapEHR's FHIR APIs, utilizing the user's auth token. By leveraging zapEHR's powerful FHIR APIs, the PM Pediatric Care development team can construct sophisticated medical applications without incurring the cost and effort of building a proprietary backend.

A screenshot of a login page with the text "Log in to PM Behavioral Health EHR" and text inputs for email and password. There is a button labeled "Forgot password?".

So, what advantages does Zap Apps offer? Firstly, zapEHR's authorization system is built to conform to the industry-standard OAuth 2.0 specification, providing your application with a high level of security. Additionally, enabling multi-factor authentication for your zapEHR Applications is a breeze, requiring just a few clicks or API calls. You no longer need to invest time and resources into developing or searching for your own authentication platform; everything can be seamlessly configured using zapEHR's APIs and a few lines of code.

Setting up zapEHR Applications involves utilizing the Project API Create Application endpoint to create your desired application. Adding authentication to your web or native application can be achieved in two ways. Firstly, you can utilize zapEHR's hosted login screens, which provide a secure workflow.

Alternatively, you have the option to build your own authentication pages by implementing the OAuth 2.0 authorization code with PKCE flow, making use of endpoints such as Auth0's /authorize and /oauth/token on

Once your application is ready, you can invite users to log in using the Project API Invite User endpoint. Invited users can easily access the application with the credentials provided in their invite email. Additionally, you have the flexibility to configure various settings for your applications, including setting a logo on the core login screen, defining security options such as redirect URLs, allowed callback URLs, and allowed CORS origins. Moreover, features like passwordless authentication using SMS, enabling users to authenticate by entering a verification code sent to their phone, as well as requiring multi-factor authentication (MFA) can be easily implemented.

For convenient management of your applications, the zapEHR console provides dedicated pages where you can list and configure the properties of your applications. This centralized console streamlines the administration process.

With the launch of zapEHR's App service, you can now embark on building exceptional user-facing apps on the zapEHR platform. Beta users have already begun creating Electronic Health Record (EHR) apps to efficiently manage intake workflows. Additionally, lightweight Revenue Cycle Management (RCM) products have been developed to handle tasks such as posting insurance claims to clearing houses and managing claim resolution. The possibilities are limitless with zapEHR's App service, and it's an exciting time to explore and utilize its potential.

Want to read the full article? Click here to visit our Substack.

Get the Ultimate Headless EHR Checklist for free

  • What is a headless EHR? And how is it different from traditional EHRs?
  • Features & Functionality to
  • Cost & Pricing
  • Is a headless EHR the right fit for you?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

back to blog

Want to try ZapEHR?

We’ll help you get started.

Request Access
Quotation icon

Our new behavioral health intake application, built on zapEHR, allowed us to build a solution that is customized for our use including scheduling, insurance validation, and direct integration with our eClinicalWorks EHR.

Mordechai Raskas
Mordechai Raskas

Chief Medical Information Officer at PM Pediatric Care