Skip to main content
When a decoded SMART Health Link payload does not contain the U flag, the receiving system retrieves a SMART Health Link manifest instead of a direct encrypted file. The receiving application performs an HTTP POST request to the SHLink url with a JSON request body containing a required recipient field and, when applicable, a passcode. This follows the SMART Health Links specification.

Endpoint

POST {SHLink URL}
The SHLink URL is obtained from the url field inside the decoded SMART Health Link payload.

Request headers

Content-Type
string
required
Set to application/json to indicate the request body is a JSON object.

Request body

recipient
string
required
A string describing the recipient, such as the name of an organization or person, suitable for display to the receiving user.
passcode
string
User-supplied passcode when the decoded SHLink payload includes the P flag.
embeddedLengthMax
integer
Upper bound on the length of embedded payloads returned in files.embedded.

Example request body

{
  "recipient": "Verona Health System",
  "passcode": "1234",
  "embeddedLengthMax": 200000
}

cURL example

curl \
  --request POST \
  --url "https://haau3.com/api/shl/manifests/abc123" \
  --header "Content-Type: application/json" \
  --data '{
    "recipient": "Verona Health System",
    "passcode": "1234",
    "embeddedLengthMax": 200000
  }'

Manifest response structure

If the request is valid, the resource server returns a SMART Health Link manifest with Content-Type: application/json.
manifest
object
required
SMART Health Link manifest object.
manifest.status
string
Indicates whether files may change in the future.
manifest.list
FHIR List
List resource with metadata related to the contained files.
files
array
One or more file descriptors.
files[].contentType
string
required
Nature of the file content.
files[].location
url
URL to externally retrievable content.
files[].embedded
JWE string
Embedded encrypted file contents.
files[].lastUpdated
timestamp
Last time the content was modified.

Example manifest response

{
  "manifest": {
    "status": "complete"
  },
  "files": [
    {
      "contentType": "application/fhir+json",
      "embedded": "<encrypted JWE compact serialization>",
      "lastUpdated": "2026-03-10T12:00:00Z"
    }
  ]
}

Responses

HTTP/1.1 200 OK
Content-Type: application/json

{
  "manifest": { "status": "complete" },
  "files": [
    {
      "contentType": "application/fhir+json",
      "embedded": "<encrypted JWE compact serialization>",
      "lastUpdated": "2026-03-10T12:00:00Z"
    }
  ]
}
Each encrypted file (files[].embedded, or fetched from files[].location) is a JWE. Decrypt it with the key from the SHLink payload to obtain the FHIR bundle. See Bundle & artifact reference.