Authorization
In order to be authorized to use the service the client must first be authenticated using HelseID. For more information on how to register a client for HelseID, see Selvbetjening.
HelseID
Either A DPoP token or a Bearer token from HelseID is required for authorization of organization and health care personell.
🚨 Authorization using HelseID Bearer token will be phased out in the future, and is not available on <public-url>/v2/ routes, where a HelseId DPoP token is required. We encourage all clients to migrate to DPoP as quickly as possible. Documentation on DPoP tokens can be found here.
Be sure to keep up to date with the upcoming changes to HelseID, which can be found here, such as updated requirements for pushed authorization request (PAR) and demonstrating proof of posession (DPoP).
Claims
The client must do a token refresh/exchange with HelseID to set correct audience and scope for this service.
| Claim | Description | Comment |
|---|---|---|
| scope | "nhn:pps/provesvar-read" | Optionally "nhn:pps/provesvar" or "nhn:nilar/api" (OBSOLETE) for bearer |
| aud | "nhn:pps" | Optionally "nhn:nilar" (OBSOLETE) for bearer |
| helseid://claims/identity/pid | Personal identifier of the requester | |
| helseid://claims/hpr/hpr_number | Health personel number according to NHN’s coding standard | |
| helseid://claims/identity/security_level | What level of security is used. | Possible values are 2, 3 or 4 |
| helseid://claims/client/claims/orgnr_parent | Org. nr. at the top level. | Legal entity |
| helseid://claims/client/claims/orgnr_child | Org. nr. at the lower level. | Point of care |
Claims documentation for HelseID can be found here.
Read more about the concepts in the Selvbetjening docs
Headers
| Name | Description | Required | Condition |
|---|---|---|---|
| Authorization: DPoP <helseid-dpop-token> | HelseID DPoP token. | Yes | Optional if using bearer authentication |
| DPoP: <dpop-proof> | HelseID DPoP proof. | Yes | Optional if using bearer authentication |
| Authorization: Bearer <helseid-token> | HelseID access token. | Yes | Optional if using DPoP authentication |
| person-id | Patient national identification number (fnr/dnr). | Yes | |
| correlation-id | Required for requests with body (POST/PUT). | Yes | |
| access-basis | Basis for access (grunnlag/tjenstlig behov, see section access-basis). | No | Disallowed if user is verifikasjonspersonell or saksbehandler |
| requester-hpr-role | Requester's HPR role, i.e. "LE" (Lege), "AA" (Ambulansearbeider), see section hpr-role. | No | |
| grunnlag (OBSOLETE) | No |
access-basis
Which basis for access (grunnlag/tjenstlig behov) the user has to get access to data. Only to be used for the requesting health professional. "Forhøyet" must be used if requesting access to data which the patient has restricted access (sperring).
FORHOYET_SAMTYKKEandFORHOYET_AKUTTshould only be used to access existing data that are not accessible with other access-basis values. Using either when no additional data would be returned will cause the request to fail.
| Value | Use case |
|---|---|
| UNNTAK | Use for persons which do not have to get consent from the patient, e.g. general practitioner (fastlege). |
| SAMTYKKE | The user has gotten consent from the patient to see data. |
| FORHOYET_SAMTYKKE | The patient has given consent to open restricted data (sperring). |
| AKUTT | Use when in an emergency situation where the patient is unable to give consent. |
| FORHOYET_AKUTT | Opens restricted data (sperring) in an emergency situation where the patient is unable to give consent. |
requester-hpr-role
The role of the requesting health professional. A list of possible roles can be found when searching for code 9060 on FinnKode.
Note that allowed roles might be only a subset of the complete list of roles in the future.
The header should be set to the shortform code, e.g. requester-hpr-role: SP.