Authorization
In order to be authorized to use the service the client must first be authenticated using HelseID. For more information on how to register a client for HelseID, see Selvbetjening.
HelseID
A HelseID access token is required for authorization of organization and health care personell.
Claims
The client must do a token refresh/exchange with HelseID to set correct audience and scope for this service.
| Claim | Description |
|---|---|
| scope | "nhn:pps/provesvar" or "nhn:nilar/api" (OBSOLETE) |
| aud | "nhn:pps" or "nhn:nilar" (OBSOLETE) |
| helseid://claims/identity/pid | Personal identifier of the requester |
| helseid://claims/hpr/hpr_number | Health personel number according to NHN’s coding standard |
| helseid://claims/identity/security_level | What level of security is used. Possible values are 2, 3 or 4 |
| helseid://claims/client/claims/orgnr_parent | Org. nr. at the top level (legal entity) |
| helseid://claims/client/claims/orgnr_child | Org. nr. at the lower level (point of care) |
Claims documentation for HelseID can be found here.
Documentation to set single audience can be found here
Headers
| Name | Description | Required |
|---|---|---|
| Authorization: Bearer |
HelseID access token. | Yes |
| person-id | Patient national identification number (fnr/dnr). | Yes |
| correlation-id | Required for requests with body (POST/PUT). | Yes |
| access-basis | Basis for access (grunnlag/tjenstlig behov, see section access-basis). | No |
| requester-hpr-role | Requester's HPR role, i.e. "LE" (Lege), "AA" (Ambulansearbeider), see section hpr-role. | No |
| grunnlag (OBSOLETE) | No |
access-basis
Which basis for access (grunnlag/tjenstlig behov) the user has to get access to data. "Forhøyet" must be used if requesting access to data which the patient has restricted access (sperring).
| Value | Use case |
|---|---|
| UNNTAK | Use for persons which do not have to get consent from the patient, e.g. general practitioner (fastlege). |
| SAMTYKKE | The user has gotten consent from the patient to see data. |
| FORHOYET_SAMTYKKE | The patient has given consent to open restricted data (sperring). |
| AKUTT | Use when in an emergency situation where the patient is unable to give consent. |
| FORHOYET_AKUTT | Opens restricted data (sperring) in an emergency situation where the patient is unable to give consent. |
requester-hpr-role
The role of the requesting health professional. A list of possible roles can be found when searching for code 9060 on FinnKode.
Note that allowed roles might be only a subset of the complete list of roles in the future.
The header should be set to the shortform code, e.g. requester-hpr-role: SP.