Page Status: updated 2023-11-23

HTTP Header and Authorization

Page index

Authorization
HTTP Request Header
- Detailed Information and Examples
HTTP Response Header

Authorization

Access to the Swedish National Medications List consists of three parts:

Required access token in authorization parameter
Purpose and access defined in the x-purpose and x-access parameters (required for most read interactions, see required information in each use case)
A provenance structure describing information related to who authored and who entered the request as well as why, which relates to the value in the x-povenance request header.

Authorization
Access to the Swedish National Medication List is based on OAuth2 or SAML and requires a valid bearer token. More information is enclosed in the Ansluta till E-hälsomyndighetens tjänster.

Purpose and access type
The information in the purpose and access parameters will, along with the role of the person (in the security token) determine which information will be filtered in the response. This information will be available to the patient in the audit log. See Ändamål, åtkomsttyper, resurser och behörigheter for more information.

Provenance
In most create and update requests, a provenance resource will need to be added as a base64 encoded JSON to the HTTP request header x-provenance. The provenance holds information about who makes the request, the intention of the request and other event related information. Read more about the Provenance resource in the Provenance section.

A complete list of all header parameters can be seen in the table HTTP Headers below

HTTP Request Header

The table below shows HTTP header fields used in a request containing FHIR or NLL specific information. Other fields may be included as well in accordance with the HTTP specification. Mandatory fields are indicated in the column Mandatory

Field	Comment	Example	Mandatory
accept	Describes formats accepted by client. Only JSON is fully tested by NLL, therefore JSON is the recommended format. Also fhirVersion can be added, but note that NLL currently only supports 4.0	`accept: application/fhir+json; fhirVersion=4.0`	No, default value is JSON
authorization	A security token. Should contain the SAML-token issued by the IdP or the OAuth-token issued by the Swedish eHealth Agency. See Säkerhetslösning		Yes, when LOA3 is stipulated. This includes all resources and operations except ValueSet, ConceptMap, $ping and $patient-dosage-directions
prefer	Information to be returned on a successful create or update request	See section Managing returned content	Yes, when creating and updating a MedicationRequest
x-access	A coded value (see value set Åtkomsttyp (access-types)) describing the legal ground for the access	`x-access: TILLFALLIGT_SAMTYCKE`	Yes, when fetching information by resources and operations except ValueSet, ConceptMap, Medication, $ping and $patient-dosage-directions
x-call-type	A request for extended period of validity of the security token. Possible values are NORMAL and DELAYED. See Reservlösning for more information.	`x-call-type: DELAYED`	No, default value is NORMAL
x-context-id	An optional UUID* that is used by the caller to group a sequence of requests. This ID is only used for logging purposes.	`x-context-id: dea7e921-6bac-4098 ...`	No
x-org-info	A BASE64 UTF-8 encoded JSON structure containing information about the organisation of the person requesting information	See example below	Yes, when information is missing in the security token . See detailed description below.
x-patientref	A reference to the patient by patient ID (UUID*) who's information is requested . This is to ensure that the operation is related to the intended patient.	`x-patientref: dea7e921-6bac-4098 ...`	Yes, when the request is related to a patient and requires x-access and x-purpose. For more details see the requirements for each scenario, Tillämpningsansvisningar.
x-provenance	A BASE64 UTF-8 encoded provenance resource.	`x-provenance: { "resourceType": "Provenance" ...`	Yes, when creating or updating information
x-purpose	A coded value (see value set Ändamål (purpose-types)) describing the purpose of the request	`x-purpose: EXPEDIERING`	Yes, when fetching information by resources and operations except ValueSet, ConceptMap, Medication, $ping and $patient-dosage-directions
x-proxyref	A reference to the person acting as agent for a patient by person ID (UUID*). Only applicable if the purpose is LASA_EGNA_UPPGIFTER	`x-proxyref: dea7e921-6bac-4098 ...`	Yes, when an agent is involved, i.e. the purpose is "Direktåtkomst till egna uppgifter" and access type is "Vårdnadshavare" or "Köpfullmakt"
x-request-id	An UUID* generated by the caller as a unique ID per request. It is used to ensure that the same request is not performed multiple times. A resend of a request should keep it's request ID.	`x-request-id: dea7e921-6bac-4098 ...`	Yes**
x-user-agent	A BASE64 UTF-8 encoded JSON structure containing information about the calling system	See example below	Yes**

*UUIDs generated by the Swedish National Medication List follows RFC 4122 type 4, with a few exceptions when type 3 is used, and the FHIR 4 specification. RFC 4122 allows UUIDs to be in both upper and lower case but FHIR states that UUID IDs shall be in lower case. UUIDs in the Swedish National Medication List are therefor allways in lower case and alla UUIDs sent to the Medication List should be in lower case.

**Operations involving ValueSet, ConcepMap and $ping are currently working without specifying Request-Id and User Agent. This is not in line with the intended design why a blocking check will be added after consultation with systems already using NLL FHIR. It is therefore recommended all new systems to include Request-Id and User Agent also for these operations too.

Detailed Information and Examples

x-org-info

x-org-info is part of the security mechanism and is used in scenarios when there is a need to provide additional security information which is not included in the security token.

Health Care Providers:

Health care providers (sv. hälso- och sjukvårdspersonal) are required to provide the city name (sv. postort för vårdenhet) in addition to the organization information that is provided by the Identity Provider (IdP).

Example:

{
    "orgenhetsOrt" : "Kalmar"
}

Web pharmacy services:

Web pharmacy services (sv. apoteks e-handel) use the patient's security certificate, or a related person's security certificate, and must therefore provide the web pharmacy's GLN number.

Example:

{
    "orgenhetsId" : "7350045511996",
    "orgenhetsIdTyp" : "GLN",
}

x-user-agent

The structure in x-user-agent contains the following elements:

'name' should contain the product name of the user agent making the call.
'info' may contain additional information about the user agent for example a module name or name of a customer specific extension.
'version' should contain the version number of the user agent. Preferable a technical version string rather than a marketing version name.
'moduleVersion' may contain an additional version number indicating the version of a module or extension.

Example:

{
  "name" : "Pascal",          // mandatory and max 20 characters
  "info" : "Module Z1",       // optional and max 99 characters
  "version" : "4.3.1",        // mandatory and max 20 characters
  "moduleVersion" : "1.0.2"   // optional and max 19 characters
}

HTTP Response Header

The table below shows HTTP header fields used in a response containing FHIR or NLL specific information. Other fields may be included as well in accordance with the HTTP specification. For more information about FHIR and headers, please read https://www.hl7.org/fhir/http.html

Prefix	Comment	Example
content-location	Content-Location indicates the direct URL to use to access the resource, without further content negotiation in the future.	`content-location: [base]/MedicationRequest/2d921d9f-8fc2-4384-b4ef-055fb9826b49`
etag	An entity-tag for differentiating between multiple representations of the same resource in the response. Contains the resource's Version Id. As the Version Id is considered as a "weak" ETag, it is prefixed with W/. For more details about ETag see https://www.rfc-editor.org/rfc/rfc7232#section-2.3	`etag: W/"3"`
last-modified	The date and time when the resource was last modified. For more details about last-modified see https://www.rfc-editor.org/rfc/rfc7232#section-2.2	`last-modified: Sat, 02 Feb 2013 12:02:47 GMT`
location	Location indicates the URL of a redirect.	`location: [base]/MedicationRequest/2d921d9f-8fc2-4384-b4ef-055fb9826b49`
nmi-id	NMI ID of the backend system	`nmi-id: EHM-AT21-v6,EHM-VT21-v6`
x-context-id	The same Context Id as in the request if one was provided	`x-context-id: b70d8221-2b23-4e6d-9a7a-9205f0dfc921`
x-request-id	The same Request Id as in the request if one was provided or else one created by the server	`x-request-id: f415983e-27f9-4563-86fc-6810753a787e`