Close icon

Get your ZapEHR account

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

How to Enhance App Security with Managed Authentication Service

June 22, 2023

TL;DR ZapEHR provides a comprehensive suite of hosted services for health tech and EHR builders, including application management and sophisticated configuration of access control policies down to individual resources.

Last week we released Zap Apps, a ZapEHR service vital for building user-facing healthcare apps.

ZapEHR’s APIs provide you a compliant backend out of the box so you can build better faster. To invoke ZapEHR APIs securely, users need to authenticate so your application knows they are authorized. When users log into your ZapEHR Application, they get a token representing their identity to ZapEHR’s APIs.

Every user and role in your ZapEHR project has their ZapEHR API access constrained by Access Policies which you configure. For example, you might use Access Policies to constrain a patient’s account such that they can only fetch data directly related to them (using the FHIR Patient Compartment).

Example

PM Pediatric Care uses the ZapEHR App Service to secure their Behavioral Health Intake Dashboard. When you first navigate to the Dashboard, you are sent to this login page on auth.zapehr.com:

A screenshot of a login page with the text "Log in to PM Behavioral Health EHR" and text inputs for email and password. There is a button labelled "Forgot password?".

After logging in, Dashboard users are brought to this page, which calls ZapEHR’s FHIR APIs with the user’s auth token. By leveraging ZapEHR’s FHIR APIs, the PM Pediatric Care development team is building sophisticated medical applications without the expense of building a proprietary backend.

A screenshot of an Electronic Health Record website. The navigation bar has the options "Appointments" and "Patients", and the user is on the Appointments page. This page has a list of appointments with the information: patient name, patient date of birth, appointment date, status such as booked, and created date.

Why use ZapEHR Applications?

To use ZapEHR’s APIs from your web and native apps, you first secure them with ZapEHR’s App service. ZapEHR’s authorization is built to the industry-standard OAuth 2.0 specification, providing your application with the highest level of security. In just a few clicks or API calls, you can enable multi-factor authentication for your ZapEHR Applications. You won’t need to build or find your own auth platform — it can be configured using ZapEHR’s APIs and a few lines of code.

Setting up ZapEHR Applications

  1. Call the Project API Create Application endpoint to create a ZapEHR Application.
  2. Add authentication to your web or native application. There are two options:

Use our hosted login screens. Here’s an example using Auth0’s React library to easily drop in a secure workflow:

<Auth0Provider
   domain="https://auth.zapehr.com"
   clientId="YOUR_CLIENT_ID_HERE"
   audience="https://api.zapehr.com"
   redirectUri="https://example.com"
> ...

This is the quickest way to add authentication to your application as the hosted authentication app provides screens for logging in, resetting password, 2-factor authentication, and signing up.

Build your own auth pages. You can implement the OAuth 2.0 authorization code with PKCE flow by calling the Auth0 /authorize and /oauth/token endpoints on auth.zapehr.com.

  1. Invite Users with the Project API Invite User endpoint
  2. Invited users can log in to the Application with credentials set from their invite email.

Settings for Applications can be configured, such as:

  • Setting a logo on the provided (but optional) core login screen
  • Security options including the URL to redirect users to, allowed callback URLs, and allowed CORS origins
  • Passwordless auth using SMS, enabling users to authenticate by entering a verification code that we send to their phone
  • Requiring multi-factor authentication (MFA)

The ZapEHR console has pages for managing Applications.

A page on the zapEHR Console for listing Applications. It has one application named "test".
An Application page on the zapEHR Console. It includes the read-only fields "zapEHR ID", "Client ID", and editable fields "Name", "Description", "Login Redirect URI", "Allowed Callback URLs".

With ZapEHR’s App service launch, you can get started building user-facing apps on the ZapEHR platform. Beta users are already building EHR apps to manage intake workflows, and lightweight RCM products to post insurance claims to clearing houses and manage their resolution.

If you have any questions, you can email us or join our Slack.

Get the Ultimate Headless EHR Checklist for free

  • What is a headless EHR? And how is it different from traditional EHRs?
  • Features & Functionality to
    consider
  • Cost & Pricing
  • Is a headless EHR the right fit for you?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FREE ACCESS

Stay in the know and receive regular insights, tips, and ZapEHR updates by subscribing to ‘ZapEHR Byte' – your bite-sized dose of health tech updates.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
back to blog

Learn why healthcare orgs trust ZapEHR as their health tech dev platform

Meet with our engineers
Quotation icon

Our new behavioral health intake application, built on ZapEHR, allowed us to build a solution that is customized for our use including scheduling, insurance validation, and direct integration with our eClinicalWorks EHR.

Mordechai Raskas
Mordechai Raskas

Chief Medical Information Officer at PM Pediatric Care

Product
Login to ZapEHR
Docs
Pricing
Status
Resources
Products
Portfolio
Blog
Slack
Terms of Service
Privacy Policy
BAA
zapEHR
[email protected]
© Copyright 2023 zapEHR. All rights reserved.
*ONC certification is pending