How to implement SMART on FHIR authentication with Topology Health

Rebeca Sarai
May 29, 2025

Imagine a patient trying to access their health records across multiple providers: Epic here, Cerner there, each requiring separate logins, different interfaces, and hours of frustration. This fragmented experience has plagued healthcare for years, but it doesn't have to. Topology Health provides specialized automated services that eliminate the lengthy manual configuration and connection steps needed for Electronic Medical Record/Electronic Health Record (EMR/EHR) integration.

Among Topology Health's products is the SMARTerFHIR library, a toolkit for interacting with FHIR servers and implementing SMART on FHIR applications. Today, we're excited to demonstrate how to use Topology Health on Mobile to seamlessly connect patients with their healthcare data through a secure, standards-based approach.

Table of Contents

Topology mobile in action

This transformation isn't just theoretical, let's see it in practice. In this example, we use the SMARTerFHIR toolkit to integrate a mobile application with Epic to display patient information. Users can log into their healthcare provider's system through a secure authentication process and instantly gain access to their health information, including:

  • Conditions and Practitioners;
  • Health goals;
  • Diagnostic reports;
  • Upcoming appointments;
  • Health metrics;
  • Medications.

All information being displayed in the demo comes directly from Epic, as you can verify by checking their sandbox test data. When we log in with different users, we see different types of data, demonstrating how the same application adapts to each patient's unique health profile.

‍Technical implementation highlights

So how does this seamless experience actually work? Behind the intuitive interface lies a sophisticated technical architecture built on industry standards and enhanced for mobile security.

The power of SMART on FHIR authentication

At the heart of Topology Health is the SMART on FHIR authentication system. This provides a standard way for healthcare applications to securely access electronic health records. Our implementation uses a SMART Client, which simplifies the process of connecting to various Electronic Medical Record systems like Epic and Cerner.

User authentication experience

When a patient opens Topology Mobile, they're presented with a clean, intuitive interface that guides them through the authentication process:

  1. The user taps "Login with Epic" (or another supported EMR provider)
  2. They're securely redirected to their healthcare provider's authentication page
  3. After entering their credentials and authorizing the application, they're seamlessly returned to Topology Mobile
  4. The app securely retrieves and displays their health information

Behind the scenes, our SMARTerFHIR toolkit handles all the complexity of the OAuth2 flow, token management, and FHIR API interactions, ensuring a smooth experience for both developers and end-users.

FHIR mobile authentication tutorial

While the user experience appears simple, the technical implementation required solving a significant challenge that has limited mobile healthcare applications.

The challenge: mobile authentication for healthcare

The SMARTerFHIR toolkit doesn't natively support mobile authentication. Mobile applications present unique security concerns as they are public clients and operate on potentially insecure devices and networks, making standard OAuth 2.0 flows insufficient for protecting sensitive health data.

Our solution: OAuth2 PKCE for FHIR authentication

We extend the SMART on FHIR authentication process for mobile applications using OAuth 2.0 with PKCE (Proof Key for Code Exchange). PKCE adds an extra security layer that prevents authorization code interception attacks, which is critical for healthcare applications handling sensitive data.

The following diagram illustrates the complete SMART on FHIR authentication process implemented in our mobile application. The process begins with the app generating a code verifier and challenge, proceeds through user authentication at their healthcare provider, and concludes with secure API access to their health data.

On the technical side, our custom implementation extends the SMART client of the SMARTerFHIR library and includes:

  • PKCE Authentication Support: Topology Mobile implements the Proof Key for Code Exchange (PKCE) protocol, adding an extra layer of security to the OAuth2 authorization flow, protecting against authorization code interception attacks.
  • Smart Launch Handler: Created SmartLaunchHandlerNative class that manages the SMART authorization process for mobile devices.
  • Client Factory: Implemented ClientFactoryNative to create appropriate EMR clients, handles token exchange using the code verifier from PKCE for mobile devices.
  • Location Polyfill: Created polyfill to handle browser-like navigation in React Native.

Together, these components create a robust, secure authentication system that maintains patient privacy while leveraging the full spectrum of EMR integration capabilities offered by the toolkit.

Next steps on mobile health apps

Topology Mobile demonstrates the potential for mobile applications to transform healthcare delivery and patient engagement. By combining secure authentication with comprehensive health data access, we're creating a platform that benefits patients, providers, and developers alike.

Want to implement SMART on FHIR authentication in your mobile app?
Explore our GitHub repository at try it out!

Related articles

Browse all articles

Medplum Design System: bridging frontend & FHIR for custom EHRs

Inside Vinta's HIPAA compliance blueprint: partners, training and security-first framework

FHIR-native applications: advancing healthcare data interoperability

Close Cookie Preference Manager
Cookie Settings
By clicking “Accept all”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Check our privacy policies.
We use Cookies to promote our services. Settings and Privacy.
Accept
Contact
contact@vintasoftware.com
166 Geary St, San Francisco, CA 94108
248 Rua do Brum, Recife, PE
50030-260
Services
Web & Mobile DevelopmentWeb & Mobile DevelopmentWeb & Mobile Development
Django DevelopmentDjango DevelopmentDjango Development
AI Agents & LLM DevelopmentAI Agents & LLM DevelopmentAI Agents & LLM Development
Healthcare DevelopmentHealthcare DevelopmentHealthcare Development
Healthech ModernizationHealthech ModernizationHealthech Modernization
Product DiscoveryProduct DiscoveryProduct Discovery
Dedicated TeamsDedicated TeamsDedicated Teams
Tech Debt & LegacyTech Debt & LegacyTech Debt & Legacy
MoreMoreMore
Technology
DjangoDjangoDjango
FastAPIFastAPIFastAPI
Advanced CeleryAdvanced CeleryAdvanced Celery
Django REST FrameworkDjango REST FrameworkDjango REST Framework
Next.jsNext.jsNext.js
MedplumMedplumMedplum
React NativeReact NativeReact Native
Headless EHRHeadless EHRHeadless EHR
Featured Clients
United NationsUnited NationsUnited Nations
UnileverUnileverUnilever
Alt LegalAlt LegalAlt Legal
Lastmile RetailLastmile RetailLastmile Retail
Quilted HealthQuilted HealthQuilted Health
Rewind HealthRewind HealthRewind Health
MoreMoreMore
Company
About usAbout usAbout us
People & CulturePeople & CulturePeople & Culture
Talks & EventsTalks & EventsTalks & Events
Jobs (We’re Hiring)Jobs (We’re Hiring)Jobs (We’re Hiring)
Tech InsightsTech InsightsTech Insights
Our NewsletterOur NewsletterOur Newsletter
Referral ProgramReferral ProgramReferral Program
Privacy PolicyPrivacy PolicyPrivacy Policy
Let's Talk!Let's Talk!Let's Talk!
Contact
166 Geary St, San Francisco, CA 94108
248 Rua do Brum, Recife, PE
50030-260
4.9
VIEW ALL REVIEWS
Vinta Software © 2013 - 2025. All rights reserved.