Create an account on the Epic on FHIR developer portal (fhir.epic.com) and register a new application, providing the app name, redirect URIs, and desired SMART scopes.
Epic generates a non-production client_id for sandbox use; use this client_id in your SMART launch flow—no secret is issued for public apps.
For backend/confidential apps, generate an RSA key pair, upload the public key (or JWKS URL) in the app registration, and sign JWT assertions with the private key for client authentication.
Point your app at Epic's sandbox base URL (provided in the developer portal) and complete the SMART standalone launch to obtain a token scoped to a synthetic patient.
Make FHIR R4 requests (e.g. GET {sandbox-base}/Patient/{id}) using the access token; Epic's sandbox populates synthetic patient data conforming to US Core and Epic's own profiles.
Before going to production, submit the app for Epic's review process; production client_ids are issued only after review and an agreement with the Epic customer organization.
Known gotchas
Epic uses organization-level FHIR base URLs; each Epic-hosted health system has its own endpoint—use the Epic endpoint directory or FHIR Well-Known to discover the correct URL for a given organization.
Some FHIR resources or operations require additional scopes or are restricted to specific app types (patient-facing vs. clinician-facing vs. backend); check Epic's scope documentation carefully.
Sandbox synthetic patients may not reflect all edge cases in real patient data; test against Epic's MyChart sandbox patients as well as custom scenarios before production launch.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp