22.7 Release: New: Real-time, self-service registration for 3-legged OAuth apps


Prior to the 22.7 Summer Release, the Developer Console only supported real-time, self-service registration of 2-legged OAuth preview applications. With the Summer Release, registration will be expanded to support Personal Health Record (PHR) and all other 3-legged OAuth applications.


athenaClinicals, athenaCollector, or athenaOne for Hospitals and Health Systems




July 27, 2022 (22.7)


  • Self-service registration of 2-legged and 3-legged preview apps
  • Self-service registration of 3-legged PHR production apps
  • Scope selection and real-time approval of requested APIs for all preview apps (and for production apps for PHR apps only)
  • Access to Technical Specification (Tech Spec) and Marketplace documents all within your apps’ Console page


Before you can use this feature, you must create an account in the Developer Console. You may create a Developer Console account here.

Is this a breaking change?

No, this is not a breaking change

Endpoints affected

  • N/A


Refer to the following resources for more information:

  • (link coming soon)


When registering a new app with athenahealth, there are three types of apps that exist based on the end user authentication method (OAuth) that will be used to obtain consent for the app to access data:

2-legged OAuth apps:

  • System-to-system apps
  • Data is passed between two systems without requiring patient or provider consent

3-legged OAuth for PHR apps:

  • System-to-patient-to-system apps
  • For data to be passed between two systems, the patient must provide consent
  • Rely only on Certified APIs which are free for consumption

3-legged OAuth for all other apps:

  • System-to-patient-to-system apps (using 1+ non-Certified API) or system-to-provider-to-system apps
  • For data to be passed between two systems, the patient or provider must provide consent

Currently, the Developer Console supports self-service onboarding of 2-legged OAuth preview apps while all 3-legged OAuth apps require athenahealth support. With the Summer 22.7 Release, the app registration process in the Console will now support self-service registration for PHR and all other 3-legged apps, allowing API Developers to create apps more efficiently and seamlessly.

Important: End user authentication method cannot be changed once an app has been created. A new app will need to be registered if the OAuth method must be modified.

What is changing

Automatic app registration for 3-legged PHR apps

A PHR app is an application that allows patients to access their personal health information through Certified APIs. In accordance with 21st Century Cures Info Blocking laws, all patients must have access to their health records through PHR apps. To comply with the Cures Act, athenahealth has built automatic, self-service registration for PHR apps to foster seamless interoperability and prevent information blocking for our clients’ patients.

With the changes being released in 22.7, you will be able to do the following within the Developer Console for self-service registration of a PHR app:

  • Select the environment you wish to obtain credentials for (preview or production)
  • Provide your app registration details online to immediately obtain your preview or production app credentials

After a PHR app is registered, it is important to note the following:

  • You must select the APIs you require for your app. You will receive real-time approval of these APIs for sandbox and preview testing as well as for usage in production apps

The app will automatically be listed on the athenahealth Marketplace for patients to be able to

  • access. You may submit a request to enhance your Marketplace listing page via the Developer Console.
  • The app will automatically be enabled to access all athenahealth tablespaces. The app will not be able to retrieve a patients’ data, though, until receiving consent from that patient.

 Important: PHR apps may only use Certified APIs. If an app requires 1+ non-Certified APIs, it is no longer considered a PHR app and must follow the steps below for registration.

App registration for all other 3-legged apps

With the 22.7 Summer Release, self-service registration will also support apps that require 3-legged OAuth but are not considered a PHR app as they either 1) are a provider app or 2) use 1+ non-Certified API.

For non-PHR 3-legged OAuth apps, the following will be supported in app registration:  

  • Provide your app registration details online to immediately obtain your preview app credentials

After registering your app, the following can be done to continue building your app:

  • Select the APIs you require for your app and receive real-time approval of these APIs for testing in sandbox and preview environments
  • Download the Tech Spec form within your apps’ Console page to submit to athenahealth for review if you require any non-Certified APIs
  • Download the Marketplace form within your apps’ Console page to submit to athenahealth to create your Marketplace listing
  • Reach out to athenahealth for solution validation prior to your production credentials being issued

What will current users of the endpoint need to update in their code?


What will happen if users of the endpoint do not update their code?


Was this information helpful? Yes | No Thank you for your feedback! What went wrong? Incomplete or incorrect information | Irrelevant Content | Others

On this Page