Enable Client Registration via API

First day playing around with openEMR, so please excuse my ignorance. I’ve got the containerized instance running (following this).

I can also register a client using the first cURL command here. However, by default it seems that new clients are disabled.

Is there a way to enable the client when initially registering it? If not, is there a way to programmatically enable a client?

I can do it through the UI, but my goal is to get an instance configured without manual intervention.

Hello @Chad_Mowbray welcome to the OpenEMR community, and to the forum!

I know that individual preferences can vary a lot re: how people want their EMR to work. But my understanding of the rationale for making auto registration require human intervention is that it is a security measure. Most practices probably would not want to expose their EMRs to robo- registration since, among other things, it could fill up the database with new pt records and destabilize the server before any human was even aware of a problem. And the size of the penalty for improperly handled PII tends to be a deterrent for most folks from allowing that to happen.

Certainly, if you really wanted it to work that way I’m sure you could make it so. But I would recommend you review the HIPAA security requirements for EMR servers before you put real- life PII on them.

Best- Harley


You can have a confidential client auto-enabled if you only request patient/* scopes in your app. From the documentation:

3rd party Apps using the confidential app profile are auto enabled if they are strictly a patient standalone app. A patient standalone app is one that only requests patient only scopes such as patient/. A provider or system app (requesting permissions such as launch, user/, system/*, etc) must be authorized by the OpenEMR Server Installation Administrator. Access Tokens issued to 3rd party apps are only valid for one hour and must be renewed with a refresh token which is valid for up to three months. Refresh tokens are only issued if the offline_access scope is authorized by the OpenEMR user authenticating with OpenEMR through their 3rd party app.
openemr/FHIR_README.md at master · openemr/openemr · GitHub

If you want to programatically enable a client, build a module that does the registration of your client and auto-enables it when the module is installed / enabled. You can also expose your own API endpoint in the module to do the auto-enabling but I don’t encourage it.

At some point we may implement something like the UDAP dynamic client registration system to support a more secure mechanism for auto-registering clients but its not anywhere on the roadmap unless someone is interested in funding it to be built.

The danger of auto-registering confidential apps is that they can access ANY patient data that the provider/admin user’s ACL supports which is a security risk and they can MODIFY any data that their user ACL can support. Patient standalone applications don’t have the same security threat surface as they are limited to a single patient.

Hi @adunsulag Thanks for refining my simplistic concept of the phenomenon!
Best- Harley

1 Like

Thanks @htuck and @adunsulag . My intent is just to spin up a development environment, so I’ll look into creating a module.

Hi Stephen,

My app developer tried to register new patients using the API and he said that even new patient needs the admin to enable the API client manually.
I created a new topic to get help on this problem.
Can a standalone patient app work with just one AP client, so that the admin does not need to manually enable each patient every time a new registration happens?