SMART Health Links (SHLs) are secure URLs using the shlink: scheme that contain encrypted health information, including SMART Health Cards. Each link embeds a unique encryption key and manifest URL, enabling secure data sharing without confusing online portals or expensive network connection fees.
shlink:
Flexpa's API fully implements the SMART Health Cards and Links STU1 specification while leveraging Flexpa's proven healthcare data infrastructure.
Perfect for healthcare applications needing to:
Our SMART Health Links implementation combines full specification compliance with enterprise-grade reliability:
When a patient receives a QR code containing their health records, that code is actually a SMART Health Link - a secure URL starting with shlink:/ that contains everything needed to decrypt and access their encrypted health data. Here's how the entire flow works from creation to access.
shlink:/
Your application sends health data to Flexpa's API, which encrypts it using AES-256-GCM encryption
A unique 32-byte encryption key is generated specifically for this link - this key is not persisted by Flexpa
The encrypted data is stored securely in S3, and a shlink:/ URL is created containing both the manifest location and the encryption key
This URL can be rendered as a QR code that patients can share or print
The QR scanner reads the shlink:/ URL and extracts the embedded JSON payload
The recipient's app extracts both the manifest URL and the unique decryption key from the payload
The app calls Flexpa's manifest endpoint (optionally with a passcode if required)
Using the embedded key, the app decrypts the health data locally - Flexpa never sees the decryption key
Your application authenticates with Flexpa using your Secret Key and calls the SHL creation endpoint with health data.
Input: SMART Health Cards, FHIR Bundles, Patient/$everything data
Flexpa generates a unique 32-byte key, encrypts data with JWE/A256GCM, and stores files securely in AWS S3.
Process: Key generation → JWE encryption → S3 upload
System returns a shlink: URL containing the manifest endpoint and encryption key. Share via your preferred channel.
shlink:/[base64url-encoded-json]
Recipients decode the base64url JSON payload, extract the manifest URL and decryption key, call the manifest endpoint, and decrypt the response locally.
Process: Decode JSON → Extract URL/key → API call → JWE decryption
Links track access attempts, enforce policies, transition through status states, and trigger cleanup jobs when expired.
Status flow: can-change → finalized → no-longer-valid
Typically, but not necessarily, transported as a QR code.
shlink:/eyJ1cmwiOiJodHRwczovL3NoYy5mbGV4cGEuY29tL2V4YW1wbGVzL0k5MXJoYmEzVnN1R1hHY2hjbnI2VkhsUUZLeGZFMjhrdVowc3NiRXV4bm8vbWFuaWZlc3QuanNvbiIsImtleSI6Ik0yVkNjWGxHcDdvZ2EwejZOR1JJWDgxX1lVREJqWnBwMjN2QkNtODdUNVUiLCJ2IjoxLCJsYWJlbCI6IkV4YW1wbGUgSVBTIEJ1bmRsZSIsImZsYWciOiJMVSJ9
{ "url": "https://shc.flexpa.com/examples/I91rhba3VsuGXGchcnr6VHlQFKxfE28kuZ0ssbEuxno/manifest.json", "key": "M2VCcXlGp7oga0z6NGRIX81_YUDBjZpp23vBCm87T5U", "v": 1, "label": "Example IPS Bundle", "flag": "LU" }
url
key
v
label
flag
exp
While SMART Health Cards are tamper-proof digital credentials containing signed health data (like vaccination records), SMART Health Links provide a secure way to share those credentials and other health data through encrypted, shareable URLs. Think of SHCs as the digital certificates themselves, while SHLs are the secure delivery mechanism.
SHCs are digitally signed JWS tokens containing health data that can be verified offline. SHLs are encrypted URLs (shlink:) that can contain one or more SHCs plus additional FHIR resources. Use them together by creating SHCs for tamper-proof credentials, then packaging them into SHLs for secure sharing.
SMART Health Links support optional passcode protection to add an extra layer of security for sensitive health data. When a link is created with passcode protection, recipients must provide the correct passcode to access the encrypted content.
Passcodes provide several security benefits:
Passcodes must be between 5-128 characters and cannot be used in combination with direct transfer mode (U flag), since direct file access bypasses the manifest endpoint where passcode validation occurs.
U
SMART Health Links use single-character flags to control access behavior and link properties. Flags are concatenated alphabetically in the flag property of the JSON payload and determine how recipients can interact with the link.
L (Long-term)
Enables long-term use where the manifest can evolve over time, allowing content updates
P (Passcode)
Requires a passcode for access (5-128 characters, up to 3 attempts allowed)
U (Direct Transfer)
Enables direct file access via GET request, bypassing manifest endpoint (incompatible with P flag)
The manifest is the central coordination point for accessing encrypted health data through SMART Health Links. It provides recipients with metadata about available health files and URLs to download them.
When recipients decode a SMART Health Link, they extract a manifest URL that serves as the API endpoint for accessing the encrypted content. The manifest endpoint handles two primary access patterns:
Standard Manifest Flow (POST): Recipients POST to the manifest URL with their identifier and optional passcode. The server validates the request, enforces security policies, and returns a structured response containing encrypted file references, status information, and download locations.
Direct Transfer Flow (GET): For links with the U flag, recipients can bypass the manifest entirely and GET the encrypted files directly. This streamlined approach reduces round trips but sacrifices the ability to use passcode protection.
The manifest response includes critical metadata about each file's content type, encryption status, and availability. Files may be embedded directly in the response (for smaller content) or provided as temporary download URLs (for larger files), allowing efficient handling of varying data sizes while maintaining security.
{ "status": "finalized", "files": [ { "contentType": "application/smart-health-card", "embedded": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...", "location": null, "lastUpdated": "2024-01-01T10:30:00.000Z" }, { "contentType": "application/fhir+json", "embedded": null, "location": "https://api.flexpa.com/smart/health-links/files/abc123?token=xyz789", "lastUpdated": "2024-01-01T10:30:00.000Z" } ] }
SMART Health Links contain a status value used to communicate the current state of the link and its contents to recipients. The status is returned in the manifest response and helps applications understand whether the data is stable, may change, or is no longer accessible.
Together with the L (Long-term) flag, the status can be used to enable workflows such as generating a SHL prior to data being available - such as the results of a diagnostic tests - or providing continuously updated data - such as a personal health history.
L
finalized
Content is stable and will not change
can-change
Content may be updated (used with long-term links)
no-longer-valid
Link has expired or been revoked, no files available
These endpoints require authentication using your Flexpa Secret Key in the Authorization: Bearer header.
Authorization: Bearer
Create a new SHL containing encrypted health data files. Returns a shareable shlink: URL with embedded encryption keys and manifest endpoint.
Integration Tip: Combine SHLs with other Flexpa APIs for powerful workflows. Use Patient/$health-cards-issue to generate SMART Health Cards from FHIR data, then package them into shareable links.
An Authorization: Bearer header value must presented with your Secret Key
Array of files to include in the SHL.
Content type: application/smart-health-card, application/fhir+json, or application/smart-api-access.
application/smart-health-card
application/fhir+json
application/smart-api-access
File content - string for pre-built SHCs, object for FHIR resources or API access.
User information for tracking and association.
Your internal user identifier for tracking.
Optional label for the link (max 80 characters). Note: This label is embedded directly in the SHL URL and is accessible without a passcode.
Optional passcode protection (5-128 characters). Cannot be used with directTransfer: true.
directTransfer: true
Time-to-live in seconds (minimum 1).
Whether this is a long-term link. Adds L flag.
Enable direct file transfer. Adds U flag. Cannot be used with passcode.
Unique identifier for the SHL (UUID format).
The complete SHL URL starting with shlink:/.
Direct URL to view the health data in Flexpa's viewer interface.
API endpoint URL for programmatic access to the encrypted manifest.
ISO 8601 timestamp when the link expires, or null for long-term links.
null
SECRET_KEY=sk_test_your-secret-key # First generate a SMART Health Card using Patient/$health-cards-issue curl -X POST https://api.flexpa.com/smart/health-links \ -H "Authorization: Bearer $SECRET_KEY" \ -H "Content-Type: application/json" \ -d '{ "files": [ { "contentType": "application/smart-health-card", "content": "eyJhbGciOiJFUzI1NiI..." } ], "user": { "externalId": "patient-123" }, "label": "Vaccination Record", "ttl": 86400 }'
{ "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479", "shl": "shlink:/eyJhbGciOiJFUzI1NiI...", "viewerUrl": "https://shc.flexpa.com/#shlink:/eyJhbGciOiJFUzI1NiI...", "manifestUrl": "https://api.flexpa.com/smart/health-links/manifests/7d4c9a5e3b2f1a8c6d9e4f7a8b5c2e1d", "expiresAt": "2024-02-01T00:00:00.000Z" }
Retrieve a paginated list of all SHLs created by your application.
Number of results per page (1-1000, default: 20).
Pagination cursor for next page.
Array of SHL objects.
Unique identifier for the SHL.
Unique identifier for the encrypted manifest.
User information associated with the link.
Your internal user identifier.
Optional label for the link.
SHL flags (L, P, U combinations).
ISO 8601 expiration timestamp, or null for long-term links.
ISO 8601 timestamp when revoked, or null if active.
ISO 8601 timestamp when the link was created.
ISO 8601 timestamp when the link was last updated.
Number of files contained in the link.
Total size of all files in bytes.
Pagination metadata.
Whether more results are available.
Cursor for the next page, or null if no more pages.
SECRET_KEY=sk_test_your-secret-key curl https://api.flexpa.com/smart/health-links?limit=10 \ -H "Authorization: Bearer $SECRET_KEY"
{ "data": [{ "id": "a1b2c3d4-e5f6-4789-abc1-23def4567890", "manifestId": "9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d", "user": {"externalId": "patient-123"}, "label": "Lab Results", "flags": "LP", "expiresAt": "2024-02-01T00:00:00.000Z", "revokedAt": null, "createdAt": "2024-01-01T10:30:00.000Z", "updatedAt": "2024-01-01T10:30:00.000Z", "fileCount": 1, "totalSize": 2048 }], "meta": { "hasMore": true, "nextCursor": "eyJjcmVhdGVkQXQi..." } }
Permanently revoke a SHL, making it inaccessible and scheduling file deletion.
Permanent Action: Revocation cannot be undone. All associated files will be deleted from storage.
The UUID of the SHL to revoke (path parameter).
SECRET_KEY=sk_test_your-secret-key curl -X DELETE https://api.flexpa.com/smart/health-links/f47ac10b-58cc-4372-a567-0e02b2c3d479 \ -H "Authorization: Bearer $SECRET_KEY"
{}
These endpoints are accessible to end recipients of SHLs and do not require a Secret Key. Access is controlled through the encryption keys and optional passcodes embedded in the SHL URL.
Direct download of encrypted health data files. Only available for links with the U flag enabled.
Flag Restriction: This endpoint only works with links that have the U (Direct Transfer) flag. Links with both U and P flags are invalid.
P
The manifest ID from the SHL (path parameter).
Optional recipient identifier (query parameter).
Set to application/jose for JWE-encrypted content.
application/jose
JWE (JSON Web Encryption) string using A256GCM algorithm. Decrypt using the 32-byte key embedded in the original SHL URL payload.
curl https://api.flexpa.com/smart/health-links/manifests/7d4c9a5e3b2f1a8c6d9e4f7a8b5c2e1d
HTTP/1.1 200 OK Content-Type: application/jose eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..iv8E9W3flKTiZhYeAW3Se.4hU4gz mSH5K6E5WCekMtV8u9-g_bCh5lUhcmAJI9EqTvJZLKqttqHpLJiyqk0jRl-BqRDjNiU2r IeqZVb0k2JPj7IuR8qVzN8kpmw0K8fvPhKMmjmC41ydPG1sqVvgPYN0nz8sT5x5Z2MpYV 8N6iNwAjhSNnqYk3jJGmCLNMOKpEhHz7kN-d4fWqR3X9iG7Lh2xuEOLed7_27dxcpvnS2 ScbvhzPqhYqiVF7KQ3mTbWcKdxNM5KkrCw.Bx8xiafv0c-uVEXy_6q-jg
Recipients use this endpoint to retrieve the encrypted health data from a SHL.
Identifier for the requesting party.
Required if the link has passcode protection (max 128 characters).
Maximum length for embedded content (minimum 0, default: 0).
Indicates file changeability: finalized (stable), can-change (may evolve), or no-longer-valid (expired/revoked).
Array of encrypted health data files following the SHLs manifest structure.
MIME type: application/smart-health-card, application/fhir+json, or application/smart-api-access.
JWE-encrypted file content (base64url encoded) if within size limits, otherwise null.
Short-lived URL for downloading large encrypted files, or null if embedded.
Number of passcode attempts remaining (only included for incorrect passcode errors).
curl -X POST https://api.flexpa.com/smart/health-links/manifests/7d4c9a5e3b2f1a8c6d9e4f7a8b5c2e1d \ -H "Content-Type: application/json" \ -d '{ "recipient": "healthcare-provider-id", "passcode": "12345" }'
{ "status": "finalized", "files": [{ "contentType": "application/smart-health-card", "embedded": "eyJhbGciOiJFUzI1NiI...", "lastUpdated": "2024-01-01T10:30:00.000Z" }] }