SMART of FHIR Provider App: Not getting access token

I am creating a standalone provider-facing app (not connected to an EHR) that needs to pull patient data (only need USCDI data for now). I am trying to use SMART on FHIR to pull this patient data.

My code looks like:

import FHIR from "fhirclient"

     'client_id': {client_id},
     'scope':  'launch launch/patient patient/read offline_access',
     'redirect_uri': {app_url},
     'iss': ''

     const accessToken: string = client.state?.tokenResponse?.access_token ?? "";


async function doRequests(accessToken: string) {
     const patientID: string = "egqBHVfQlt4Bw3XGXoxVxHg3"; // Testing with sample patient from Epic's sandbox test data
     var obs = await fetch("" + patientID, {
          headers: {  
               "Accept": "application/json+fhir",
               "Authorization": "Bearer " + accessToken
            return data

I am logging in using the provider test data provided by Epic (i.e. username = FHIR, password = EpicFhir11!).

However, the entire “client.state.tokenResponse” object returned in the “FHIR.oauth2.ready” function is empty. Because I don’t have an accessToken, the fetch inside of doRequests is returning a 401 error (unauthorized status code).

How I authorize the app properly so that it returns an accessToken properly and I can fetch patient data?

Thanks for all your help!

Have you tried reaching out to

Yeah, I have. They said they can’t help :frowning:

Hey mj23,

  1. Does fhirclient.js’s data model really place the tokenResponse in a “state” object? I don’t know because I haven’t used this library, but that seems weird. state is returned to the app as part of the /token response (alongside the access_token). The best place to ask for help with this open source library is the SMART on FHIR google group:

  2. You should compare your http request to /token against published documentation, including the spec: HL7.FHIR.UV.SMART-APP-LAUNCH\App Launch: Launch and Authorization - FHIR v4.0.1, but different FHIR servers often have fairly thorough OAuth2 documentation as well.

  3. Try running the same code against another sandbox, like logica or smarthealthit to verify that it’s not a problem in your code.