Clinical APIs (EHR)

Announcement

For information related to the Oracle Partner Network (OPN) Industry Healthcare Track please visit our OPN Industry Healthcare Program page.

For specific questions related to Oracle Partner Network (OPN), please contact Partner Assistance.

Millennium FHIR and non-FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.
Soarian FHIR API Specifications and Supporting Documents can be found HERE on docs.oracle.com.

unknown_kid when accessing sandbox with token

Nicolas NierenbergJul 19 2025

Workflow or API calls:

We get a token using.

curl -X POST \
'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/hosts/fhir-ehr.sandboxcerner.com/protocols/oauth2/profiles/smart-v1/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H ‘Authorization: Basic <encoded client id/secret> 'grant_type=client_credentials&scope=system/Patient.read&aud=https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d'

This returns an access token as expected. But when using the token

curl -H "Authorization: Bearer <access_token>" \
'https://fhir-ehr.sandboxcerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/Patient?family=Smart'

We get

{
"code": 401,
"message": "code=\"urn:cerner:error:oauth2:resource-access:signature-verification-failed\", error=\"invalid_token\", subcode=\"unknown_kid\", kid=\"2025-07-18T02:10:26.541.ec.es256\""
}

The sandbox rejects this type of EC-signed token and apparently requires RS256 RSA signed tokens.

It appears there is some issue on the back end, but I'm open to suggestions.

Added on Jul 19 2025

#millennium

1 comment

20 views

1 mention