Authentication and Onboarding
This guide describes what a vendor needs to start using the MediKIT API with OAuth 2.0 client credentials and organization-scoped access.
What you receive during onboarding
Nedap MediKIT provides:
CLIENT_IDCLIENT_SECRET(via secure channel)TOKEN_ENDPOINTAPI_BASE_URL- Assigned
ORGANIZATION_IDvalues
For the API base URL, use one of these hosts:
https://dev-api-insecure.medikit.nlhttps://dev-api.medikit.nl
Example request path: /v2/{organizationId}/fhir/R4/Patient/{id}.
Authentication flow
- Request an access token at
TOKEN_ENDPOINTusingclient_idandclient_secret. - Use the returned Bearer token for API requests.
- Refresh before expiry.
Access model (roles + organizations)
Access is determined by both:
- Role entitlements assigned to your client (which operations/resources are allowed)
- Allowed organizations assigned to your client (which
organizationIdvalues are allowed)
A request is only allowed when both role and organization checks pass.
Verification checklist
After onboarding, validate your setup:
- Get a token with your credentials.
- Call an endpoint for an assigned
ORGANIZATION_ID(expect success). - Call the same endpoint for an unassigned
ORGANIZATION_ID(expect denial). - Call one endpoint within your expected role scope (expect success).
- Call one endpoint outside your role scope (expect denial).
Security requirements
- Keep client secrets in a secure secret manager.
- Never log or share raw Bearer tokens.
- Rotate credentials immediately if compromise is suspected.