Authentication | MediBridgeX Docs

MediBridgeX secures all endpoints using the OAuth 2.0 Client Credentials grant type. This server-to-server flow ensures that integration layers (like EHRs or custom middleware) can securely request short-lived JSON Web Tokens (JWTs) without user intervention.

The JWT Lifecycle

Tokens are cryptographically signed using RS256 and have a maximum lifetime of 1 hour (3600 seconds). We strongly advise implementing token caching and proactive refresh logic in your API clients to minimize latency associated with the token endpoint.

Decoded JWT Payload

1{
2  "iss": "https://auth.medibridgex.com",
3  "sub": "client_8f92a4bc",
4  "aud": "api.medibridgex.com",
5  "exp": 1698403200,
6  "iat": 1698399600,
7  "scopes": ["fhir:read", "fhir:write", "audit:read"]
8}

Scope Management

Access is heavily siloed based on scopes. If your token lacks the necessary scope for an operation (e.g., attempting a POST to /Patient with only fhir:read), the gateway will immediately terminate the request with a 403 Forbidden and log an access violation in your audit trail.

Security Notice

Never commit your client_secret to version control. If a secret is compromised, rotate it immediately in the Developer Dashboard. Old tokens signed by the revoked secret are instantly invalidated via our distributed cache.