Authentication with OAuth2.0
This tutorial explains how to connect to the API Gateway (or Sandbox) with (test) Client Credentials, using OAuth2 for authorization and authentication.
As explained in the getting started guide, you will need the Client ID and the Client Secret to get access.
Access tokens and refresh tokens can be generated using the following URLs, depending on the region your organization is hosted in:
- https://identity-oauth.eu.founda.com/oauth2/token
- https://identity-oauth.us.founda.com/oauth2/token
Example cURL command
In order to get an access token you can use the following cURL command as an example:
Don't forget to replace the URL with the EU variant if that's where your organization is hosted.
Replacing <client_id> and <client_secret> with your Client Credentials.
Example Postman command
In order to get an access token you can use the following Postman steps as an example:
Don't forget to replace the URL with the EU variant if that's where your organization is hosted.
- Open a new request and go to the Authorization tab
- Configure the settings:
- Type: OAuth2.0
- Grant Type: Client Credentials
- Access token URL:
- https://identity-oauth.eu.founda.co/oauth2/token
- https://identity-oauth.us.founda.co/oauth2/token
- Client ID: Client ID of Test Client retrieved via 1Password
- Client Secret: Client Secret of Test Client retrieved via 1Password
- Client authentication: ‘Send client credentials in body’

- Choose ‘Get New Access Token’
- When authentication is successful: Authentication complete
- Choose ‘Use Token’
Postman will copy the token to the token field.
Please keep your API keys private.
API Keys created should never be exposed in untrusted contexts. Never put Client Credentials in client-side JavaScript, embed it in a web page, or otherwise allow users to access it. If Client Credentials are exposed, lost, or stolen, then it is compromised. Revoke compromised keys immediately from your Clients page to prevent unauthorized access.
Now that your Test Client has an Access Token, it is possible to start making test calls to the Sandbox. The FHIR 4 Base URL for this is:
- https://api.us.founda.co/1/health/organizations/{organizationId}/fhir/4
- https://api.eu.founda.co/1/health/organizations/{organizationId}/fhir/4
Note that {organizationId} has to be replaced with the organization ID of the Sandbox, this ID is provided along with the Client Credentials.