Authentication
Overview
b.well uses OAuth 2.0 for authentication and scope-based authorization across all APIs and services. This guide helps you choose the right authentication method for your integration.
Authentication Methods
b.well supports two authentication patterns for different use cases:
End-User Authentication
OAuth 2.0 Token Exchange with OpenID Connect (OIDC)
Use end-user authentication when your application accesses data on behalf of a specific user — like a patient viewing their health records in your mobile app.
How it works: Users authenticate through your existing Identity Provider (IdP). b.well exchanges your OIDC ID token for a b.well access token, maintaining consistent user identity across systems and enabling Single Sign-On (SSO).
Other authentication options: While OAuth 2.0 Token Exchange is the standard pattern, If you prefer to use b.well as your Identity Provider or need custom authentication patterns, contact the b.well team.
Learn more about End-User Authentication →
System Authentication
OAuth 2.0 Client Credentials
Use system authentication for server-to-server access without a specific user context — like bulk data operations, analytics, or data synchronization.
How it works: Your server authenticates directly with b.well using client credentials to obtain an access token for system-level operations.
Learn more about System Authentication →
Quick Comparison
| Type | When to Use | Common Use Cases |
|---|---|---|
| End-User Auth | User-facing applications that access individual user data | Consumer health apps, patient portals, mobile apps, personal health records |
| System Auth | Backend services performing operations without user context | Data pipelines, bulk FHIR operations, analytics, system integrations |
Need both?
Many implementations use both methods for different parts of their application — end-user auth for mobile apps and system auth for backend processes.
Updated 8 days ago