Publisert - 16.02.2026

SFM-id for multi-tenant clients

Context: Sentral forskrivningsmodul (SFM) uses the mechanism SFM-id for single-tenant clients using HelseID.

The functionality described in this document shows how a multi-tenant client can use this mechanism.

Submission of SFM-id

Clients (multi-tenant) can submit a structured claim in their request to HelseID. This claim can be sent either

  1. as a part of a Request object when making calls to the PAR endpoint (or the Authorization endpoint if the client has not yet adopted PAR), or
  2. as a part of client_assertion when making calls to the Token endpoint

The structured claim is composed as follows:

{
  "type": "nhn:sfm:journal-id",
  "value": {
     "journal_id": "1231231234-34213412-432423-4233"
  }
}

The value for type must always be nhn:sfm:journal-id, and the value for $.value.journal_id must be a UUID.

Note that the type nhn:sfm:journal-id uses a syntax with hyphens, while the claim journal_id uses a syntax with underscore.

Example call to HelseID

When submitting information in client_assertion to the Token endpoint, the client should replace the claim type authorization_details with assertion_details, but authorization_details will still be accepted. Please note that it is not acceptable to submit both authorization_details and assertion_details.

{
  "alg": "RS256",
  "kid": "B2C61A07EE0661237D19BEE1E0A1463C",
  "typ": "client-authentication+jwt"
}.{
  "authorization_details":
  [{
    "type":"helseid_authorization",
    "practitioner_role": {
      "organization": {
        "identifier": {
          "system":"urn:oid:1.0.6523",
          "type":"ENH",
          "value":"NO:ORGNR:972418013:974042436"
          }
       }
      }
  }],
  "sub": "f7cd1256-0526-4b5a-b4c3-f054c984ace8",
  "iat": "1716644273",
  "jti": "cf6a320674cf44cba9177ac6f84103a3",
  "nbf": 1716644273,
  "exp": 1716644333,
  "iss": "f7cd1256-0526-4b5a-b4c3-f054c984ace8",
  "aud": "https://helseid-sts.test.nhn.no"
}.[Signature]

When submitting information in the Request object, the client must use the authorization_details claim:

"authorization_details":
[{
    "type": "nhn:sfm:journal-id",
    "value": {
      "journal_id": "ed30a6a5-4834-40be-a32b-1e4f5217e378"
    }
 },
 {
   "type":"helseid_authorization",
   "practitioner_role":
   {
     "organization":
     {
       "identifier":
       {
         "system":"urn:oid:1.0.6523",
         "type":"ENH",
         "value":"NO:ORGNR:<consumer organization number>:<consumer child organization number>",
       }
    }
  }
}]

Claim in token

The claim from HelseID (in the Access token) looks like this:

{
  ...
  "nhn:sfm:journal-id" : "ed30a6a5-4834-40be-a32b-1e4f5217e378",
  ...
}

Error Messages

HelseID validates the values in the call to either the Token endpoint or the PAR endpoint, and will return HTTP code 400 (Bad Request) with error message invalid_request if the content is incorrect.

If the client does not have access to the scope nhn:sfm:journal-id, HelseID will return HTTP code 400 (Bad Request) with error message invalid_scope.

See the document Error Messages for descriptions of typical error messages from HelseID.

Søk i Utviklerportalen

Søket er fullført!