Original page can be found at: 10.4.2 | TTA FHIR - Authorization
Attention! The specifications and requirements in this chapter are still a specific implementation for the Notified Pull communication pattern and have not yet been generalized to work for other communication patterns.
Resource server authorization: OAuth 2.0
On application level both the Notification endpoint of the Receiving System and the FHIR endpoint of Sending System are considered as resource endpoints that must be secured by https://www.rfc-editor.org/rfc/rfc6749. This implies that a client that wants to interact with a resource server (FHIR or Notification endpoint) must obtain an access token from an authorization server before it can interact with that resource server. The client must present this access token as bearer token in the HTTP Authorization header of each request to the resource server as specified in https://www.rfc-editor.org/rfc/rfc6750#section-2.1.
For further information on the transaction involved, please go to Twiin-07 | Token Request