Skip to content

API Usage

GOFR provides a powerful API to access and load data.

Users may access the API in general as they would all REST operations in FHIR. The base URL for API requests is simply the server:port for GOFR followed by /fhir/<PARTITION>/.

For more information about using FHIR see the page Working wth FHIR in this guide.

Public Demo Server

The API routes are protected by token-based authentication and authorization.

On sign-up, an administrator must provide the client_secret in addition to a username and password. The API user must obtain an access_token and refresh_token. For example, using Curl on *nix and WSL, with the demo:demo account on the public test server the API user must POST the following information:

curl -XPOST \
--data "grant_type=password" \
--data "username=demo" \
--data "password=demo" \
--data "client_id=gofr-api" \
--data "client_secret=df3dcc28-f79f-4df7-bd5c-427afe60a41b"

Response (the tokens are abbreviated with '...'):

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOi...","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI...","token_type":"Bearer","not-before-policy":1632196935,"session_state":"de2ba5ab-3ec5-404c-9e82-f0ca94b71ab6","scope":"profile email"}

For quick tests, it may be easier to capture the token in an environment variable using the excellent jq and then use that variable in queries, e.g.:

token=$(curl -XPOST \
--data "grant_type=password" \
--data "username=demo" \
--data "password=demo" \
--data "client_id=gofr-api" \
--data "client_secret=df3dcc28-f79f-4df7-bd5c-427afe60a41b" | jq -r '.access_token')
echo $token
curl -X GET "" -H "Authorization: Bearer $token"

The token can now be used to access the API.


Token expiration may be shorter than anticipated. This can be changed in Keycloak.