API Documentation

Elekta’s FHIR API documentation is available so that developers may build applications that operate through the retrieval of patient data from MOSAIQ, Elekta’s Electronic Health Record. Applications are intended to be available for use by patients, providers, and third party application developers. Applications may be launched standalone or within the context of MOSAIQ.

Elekta’s FHIR API is powered by Firely and is compatible with MOSAIQ v2.86. Authenticated application developers will have access to USCDI v1 data.

FHIR API Terms & conditions

Application Registration

FHIR Resources

Elekta's Terms and Conditions of use

Fees: To further grow Elekta’s interoperability and promote patient access to data, application developers are invited to build with Elekta’s platform at no cost. There will be no fee for the use of Elekta’s FHIR API within the current scope of available USCDIv1 data.

To read more about the FHIR API Terms and Conditons please click here.

You can find our Elekta Privacy Policy here.

Application Registration and Configuration

The Site admins of MOSAIQ Electronic Health Record have permission to add the application.

To build an application with Elekta’s FHIR API Authorization Server, the below information is required:

  • Application Name
  • Application Logo (Optional)
  • Application URL
  • Application Redirect URL
  • Application Signoff (Logout) URL
  • Application scope to access resources

Application Configuration

Proof Key for Code Exchange (PKCE) is an industry standard that can help mitigate CSRF and other known security threats.

Configuration OptionValues
Token NameDevTestToken
Grant TypeAuthorization Code (With PKCE)
Callback URLhttps://www.getpostman.com/oauth2/callback
Auth URLhttps://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/v1/authorize
Access Token URLhttps://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/v1/token
Client IdYour Client ID
Client SecretYour Secret
Code Challenge MethodSHA-256
Code VerifierLeave Blank
ScopeI.e. openid patient/*.read
StateAny UUID
Client AuthorizationSend client credentials in body

Authorization Server Info

  • Auth URL: https://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/v1/authorize
  • Access Token URL: https://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/v1/token
  • aud: api://dev-sandbox-test

API Information

  • FHIR API Base URL: https://elektafhirdevsandboxtest.azurewebsites.net
  • FHIR Authorization Root URL: https://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7
  • FHIR Metadata Information URL: https://elektafhirdevsandboxtest.azurewebsites.net/metadata
  • FHIR Authorization Server Information URL: https://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/.well-known/openid-configuration
  • FHIR Server SMART Configuration: https://elektafhirdevsandboxtest.azurewebsites.net/.well-known/smart-configuration/

Please refer to SMART App Authorization Guide for more information

FHIR Resources

Elekta’s FHIR API is based on the HL7 FHIR® US Core Implementation Guide STU3 Release 3.1.1 and HL7 FHIR® R4.

To view Elekta’s FHIR Resources, please click here.

Bulk Export

Client Configuration:

Bulk Export requires a public/private key pair. The client must generate or obtain this key pair and register the public key set (via URL to JWK Set or JWK Set Directly)

A client must also produce a JSON Web Token (JWT) that will be used to authenticate the client to the FHIR® authorization server before requesting an access token. The following claims must be included in the authentication JWT, and it must be signed using the client's private key.

How to create JWT token:

Header Values for JWT Authentication

algRS384 (fixed value)
kidThe identifier of the key-pair used to sign this JWT. This identifier SHALL be unique within the client's JWK Set
typJWT (fixed value)

Authentication for JWT Claims

issclient_id - determined during registration with the authorization server
subclient_id - determined during registration with the authorization server (same as iss)
expExpiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). This time SHALL be no more than five minutes in the future.
jtiA nonce string value that uniquely identifies this authentication JWT.

Bulk export client configuration (Postman will consume FHIR API)


  1. Start your API client
  2. https://elektaeu.oktapreview.com/oauth2/aus4p8j0ykfNgewRT0x7/v1/token
  3. Select POST as the HTTP verb
  4. Select the "Body" tab then select the x-www-form-urlencoded radio button for the format
  5. Enter the configuration details from the table below and click the "Send" Button

    Postman Configuration

    client_assertionJWT client assertion token obtained above
  6. After obtaining an access token, use the token to retrieve resources in ndjson format.

Bulk Data Kick-off Request:

This FHIR® Operation starts the asynchronous generation of data that the client is authorized to see - whether it's all patients, a subset (specified group) of patients, or all data in a FHIR® server.

Endpoint - All Patients:

GET https://elektafhirdevsandboxtest.azurewebsites.net/Patient/$export

Endpoint - Group of Patients

GET https://elektafhirdevsandboxtest.azurewebsites.net/Group/[id]/$export

Required Request Headers

Accept - application/fhir+json

Prefer - respond-async

Response - Success

HTTP Status Code of 202 Accepted

Content-Location header with the absolute URL of an endpoint for subsequent status requests (polling location)

Bulk Data Status Request

Following the start of a bulk data request, the client MAY poll the status URL specified in the Content-Location header.

Response - In-Progress Status

HTTP Status Code of 202 Accepted

Response - Error Status

HTTP status code of 4XX or 5XX
Content-Type - application/json

Response - Complete Status

HTTP status of 200 OK
Content-Type - application/json

File Request

A client can download the created bulk data files (one or more per resource type) using the URLs provided by the FHIR® server in the Complete Status response body within the time period set in the Expires header (if present).


GET [url from status request output field]


Accept - application/fhir+ndjson

Response - Success

HTTP status of 200 OK
Content-Type - application/fhir+ndjson

Response - Error

HTTP Status Code of 4XX or 5XX

*For more information on Bulk Export – please refer to - HL7.FHIR.UV.SMART-APP-LAUNCH\Client Authentication: Asymmetric (public key) - FHIR v4.0.1