> ## Documentation Index > Fetch the complete documentation index at: https://docs.haau3.com/llms.txt > Use this file to discover all available pages before exploring further. # Manifest request (POST) > Retrieve a SMART Health Link manifest with an HTTP POST when no U flag is present. When a decoded SMART Health Link payload does not contain the `U` flag, the receiving system retrieves a SMART Health Link manifest instead of a direct encrypted file. The receiving application performs an HTTP POST request to the SHLink `url` with a JSON request body containing a required `recipient` field and, when applicable, a `passcode`. This follows the [SMART Health Links specification](https://build.fhir.org/ig/HL7/smart-health-cards-and-links/links-specification.html). ## Endpoint ```http theme={null} POST {SHLink URL} ``` The SHLink URL is obtained from the `url` field inside the decoded SMART Health Link payload. ## Request headers Set to `application/json` to indicate the request body is a JSON object. ## Request body A string describing the recipient, such as the name of an organization or person, suitable for display to the receiving user. User-supplied passcode when the decoded SHLink payload includes the `P` flag. Upper bound on the length of embedded payloads returned in `files.embedded`. ### Example request body ```json theme={null} { "recipient": "Verona Health System", "passcode": "1234", "embeddedLengthMax": 200000 } ``` ## cURL example ```bash theme={null} curl \ --request POST \ --url "https://haau3.com/api/shl/manifests/abc123" \ --header "Content-Type: application/json" \ --data '{ "recipient": "Verona Health System", "passcode": "1234", "embeddedLengthMax": 200000 }' ``` ## Manifest response structure If the request is valid, the resource server returns a SMART Health Link manifest with `Content-Type: application/json`. SMART Health Link manifest object. Indicates whether files may change in the future. List resource with metadata related to the contained files. One or more file descriptors. Nature of the file content. URL to externally retrievable content. Embedded encrypted file contents. Last time the content was modified. ### Example manifest response ```json theme={null} { "manifest": { "status": "complete" }, "files": [ { "contentType": "application/fhir+json", "embedded": "", "lastUpdated": "2026-03-10T12:00:00Z" } ] } ``` ## Responses ```http theme={null} HTTP/1.1 200 OK Content-Type: application/json { "manifest": { "status": "complete" }, "files": [ { "contentType": "application/fhir+json", "embedded": "", "lastUpdated": "2026-03-10T12:00:00Z" } ] } ``` ```http theme={null} HTTP/1.1 401 Unauthorized Content-Type: application/json { "remainingAttempts": 2 } ``` ```http theme={null} HTTP/1.1 404 Not Found ``` Each encrypted file (`files[].embedded`, or fetched from `files[].location`) is a JWE. Decrypt it with the `key` from the SHLink payload to obtain the FHIR bundle. See [Bundle & artifact reference](/app/provider-integration/bundle-and-artifacts).