Close icon

Get your Oystehr account

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

How to Enhance App Security with Managed Authentication Service

June 22, 2023

TL;DR Oystehr provides a comprehensive suite of hosted services for health tech and EHR builders, including application management and sophisticated configuration of access control policies down to individual resources.

Last week we released Oystehr Apps, a Oystehr service vital for building user-facing healthcare apps.

Oystehr's APIs provide you a compliant backend out of the box so you can build better faster. To invoke Oystehr APIs securely, users need to authenticate so your application knows they are authorized. When users log into your Oystehr Application, they get a token representing their identity to Oystehr’s APIs.

Every user and role in your Oystehr project has their Oystehr API access constrained by Access Policies which you configure. For example, you might use Access Policies to constrain a patient’s account such that they can only fetch data directly related to them (using the FHIR Patient Compartment).


PM Pediatric Care uses the Oystehr App Service to secure their Behavioral Health Intake Dashboard. When you first navigate to the Dashboard, you are sent to this login page on

A screenshot of a login page with the text "Log in to PM Behavioral Health EHR" and text inputs for email and password. There is a button labelled "Forgot password?".

After logging in, Dashboard users are brought to this page, which calls Oystehr’s FHIR APIs with the user’s auth token. By leveraging Oystehr’s FHIR APIs, the PM Pediatric Care development team is building sophisticated medical applications without the expense of building a proprietary backend.

A screenshot of an Electronic Health Record website. The navigation bar has the options "Appointments" and "Patients", and the user is on the Appointments page. This page has a list of appointments with the information: patient name, patient date of birth, appointment date, status such as booked, and created date.

Why use Oystehr Applications?

To use Oystehr’s APIs from your web and native apps, you first secure them with Oystehr’s App service. Oystehr’s authorization is built to the industry-standard OAuth 2.0 specification, providing your application with the highest level of security. In just a few clicks or API calls, you can enable multi-factor authentication for your Oystehr Applications. You won’t need to build or find your own auth platform — it can be configured using Oystehr’s APIs and a few lines of code.

Setting up Oystehr Applications

  1. Call the Project API Create Application endpoint to create a Oystehr Application.
  2. Add authentication to your web or native application. There are two options:

Use our hosted login screens. Here’s an example using Auth0’s React library to easily drop in a secure workflow:

> ...

This is the quickest way to add authentication to your application as the hosted authentication app provides screens for logging in, resetting password, 2-factor authentication, and signing up.

Build your own auth pages. You can implement the OAuth 2.0 authorization code with PKCE flow by calling the Auth0 /authorize and /oauth/token endpoints on

  1. Invite Users with the Project API Invite User endpoint
  2. Invited users can log in to the Application with credentials set from their invite email.

Settings for Applications can be configured, such as:

  • Setting a logo on the provided (but optional) core login screen
  • Security options including the URL to redirect users to, allowed callback URLs, and allowed CORS origins
  • Passwordless auth using SMS, enabling users to authenticate by entering a verification code that we send to their phone
  • Requiring multi-factor authentication (MFA)

The Oystehr console has pages for managing Applications.

A page on the zapEHR Console for listing Applications. It has one application named "test".
An Application page on the zapEHR Console. It includes the read-only fields "zapEHR ID", "Client ID", and editable fields "Name", "Description", "Login Redirect URI", "Allowed Callback URLs".

With Oystehr’s App service launch, you can get started building user-facing apps on the Oystehr platform. Beta users are already building EHR apps to manage intake workflows, and lightweight RCM products to post insurance claims to clearing houses and manage their resolution.

If you have any questions, you can email us or join our Slack.

Get the Ultimate Headless EHR Checklist for free

  • What is a headless EHR? And how is it different from traditional EHRs?
  • Features & Functionality to
  • Cost & Pricing
  • Is a headless EHR the right fit for you?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Stay in the know and receive regular insights, tips, and Oystehr updates by subscribing to ‘Oystehr Insights' – your pearl-sized dose of health tech updates.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
back to blog

Learn why healthcare orgs trust Oystehr as their health tech dev platform

Meet with our engineers
Quotation icon

Our new behavioral health intake application, built on Oystehr, allowed us to build a solution that is customized for our use including scheduling, insurance validation, and direct integration with our eClinicalWorks EHR.

Mordechai Raskas
Mordechai Raskas

Chief Medical Information Officer at PM Pediatric Care