Opala Logo

Patient Access API Overview

Opala's Patient Access API and the Patient Access API Documentation Set assume that developers are familiar with FHIR and the CARIN for Blue ButtonĀ® implementation guide .

The Patient Access API is required to be protected by the OpenID Connect flow of the OAuth 2.0 specification. This makes it harder for developers to access and test the API as they must present the JWT in the HEADER of the HTTP GET request. Opala's Patient Access API complies with this requirement.

Before any development starts, you must have the following to help set up the project and begin accessing Opala's Patient Access API:

  1. A key value and a secret value. These are created when you register an application with Opala (see Developer Portal below);
  2. A URL to initiate the authorization workflow (which includes the user authentication step);
  3. A list of return URLs that the identity provider will accept (which one is desired is passed in as part of the URL to start the flow to perform OIDC authorization);
  4. Sandbox access.

Sandbox Access

Once you have created an account with Opala (see Developer Portal below), you are given access to Opala's sandbox environment. This environment parallels the Opala production environment but contains no live data: all data available in the Sandbox is created specifically for the sandbox environment and does not correspond to any real-world data.

Sandbox access enables a developer to get started quickly. It includes a user account with a specific set of data that can be validated against and provides complete functionality.

Initial sandbox access requires an application key (unique GUID) and a return URL that can be localhost on any port.

Note: In addition to regular sandbox access, Opala also provides a Postman collection through which the Patient Access Sandbox is accessible. See the Opala Documentation Set (available after you register with Opala) for information about accessing Opala's Postman Collection.

Production Access

Production access is granted after validating your application. Prior to this, your application is listed as In Review on your Developer Portal page; you are still able to access Opala's Patient Access API Sandbox prior to having your application approved but cannot access the Production environment. There is no form for requesting Production access. Once your application is approved and the status changes from In Review to Live, you are granted access.

Developer Portal

Opala's Developer Portal enables you to create an account with Opala, then register and maintain one or more application. Registering with Opala creates the account.

Registering as a developer with Opala enables you to access Opala's APIs from your application. Once you complete your registration, you will see connection details that can be applied to access Opala's Patient Access API Sandbox.

Note: The Developer Portal is accessed by both the developer and the payer administrator. Both developers and administrators can use the Developer Portal to access their Sandbox settings. Developers can also use the portal to register their applications with Opala, while payer administrators can register as a client to get access to Opala's payer-to-payer data exchange.

App Registration

Once you have created an account and registered as a developer with Opala, you can register one or more application that will, after approval, be available in Opala's App Gallery. Some of the information required to register an application is:

  • The URL of the application's home page. This is the location where the app's download site can be found;
  • The URL of the webpage providing the application's Privacy Policy;
  • The URL of the webpage describing the application's Terms of Service;
  • The URL to which members are redirected upon successful authentication (the Default OAuth Redirect URL);
  • Any additional OAuth Redirect URLs;


In addition, you must enter the scopes requested by your application after creating an account and registering as a developer with Opala. The minimum scopes required by Opala are openid and profile.