Authorization
In order to be authorized to use the service the client must first be authenticated using HelseID. For more information on how to register a client for HelseID, see Selvbetjening.
HelseID
A HelseID access token is required for authorization of organization and health care personell.
Claims
The client must do a token refresh/exchange with HelseID to set correct audience and scope for this service.
| Claim | Description |
|---|---|
| scope | "nhn:pps/provesvar" or "nhn:nilar/api" (OBSOLETE) |
| aud | "nhn:pps" or "nhn:nilar" (OBSOLETE) |
| helseid://claims/identity/pid | Personal identifier of the requester |
| helseid://claims/hpr/hpr_number | Health personel number according to NHN’s coding standard |
| helseid://claims/identity/security_level | What level of security is used. Possible values are 2, 3 or 4 |
| helseid://claims/client/claims/orgnr_parent | Org. nr. at the top level (legal entity) |
| helseid://claims/client/claims/orgnr_child | Org. nr. at the lower level (point of care) |
Claims documentation for HelseID can be found here.
Documentation to set single audience can be found here
Headers
| Name | Description | Required |
|---|---|---|
| Authorization: Bearer |
HelseID access token. | Yes |
| person-id | Patient national identification number (fnr/dnr). | Yes |
| correlation-id | Required for requests with body (POST/PUT). | Yes |
| access-basis | Basis for access (grunnlag/tjenstlig behov, see section access-basis). | No |
| requester-hpr-role | Requester's HPR role, i.e. "LE" (Lege), "AA" (Ambulansearbeider), see section hpr-role. | No |
| grunnlag (OBSOLETE) | No |
access-basis
Which basis for access (grunnlag/tjenstlig behov) the user has to get access to data. Only to be used for the requesting health professional. "Forhøyet" must be used if requesting access to data which the patient has restricted access (sperring).
FORHOYET_SAMTYKKEandFORHOYET_AKUTTshould only be used to access existing data that are not accessible with other access-basis values. Using either when no additional data would be returned will cause the request to fail.
| Value | Use case |
|---|---|
| UNNTAK | Use for persons which do not have to get consent from the patient, e.g. general practitioner (fastlege). |
| SAMTYKKE | The user has gotten consent from the patient to see data. |
| FORHOYET_SAMTYKKE | The patient has given consent to open restricted data (sperring). |
| AKUTT | Use when in an emergency situation where the patient is unable to give consent. |
| FORHOYET_AKUTT | Opens restricted data (sperring) in an emergency situation where the patient is unable to give consent. |
requester-hpr-role
The role of the requesting health professional. A list of possible roles can be found when searching for code 9060 on FinnKode.
Note that allowed roles might be only a subset of the complete list of roles in the future.
The header should be set to the shortform code, e.g. requester-hpr-role: SP.