Enterprise integration reference
Read-only FHIR for governed trial execution. How Damaros clinic nodes connect to Epic through SMART Backend Services: JWT assertions, JWKS discovery, cohort-scoped evidence, deterministic screening, and replay lineage. For integration teams, security reviewers, and sponsor diligence.
Damaros RuntimeDocument scope
Damaros connects to Epic as a Backend Systems application. Integration is read-only by default, cohort-scoped, and server-side only. This page covers authentication, JWKS, requested scopes, sync behavior, clinical boundaries, audit, and cutover posture.
| IN_SCOPE | OAuth flow, JWT assertions, JWKS URLs and rotation, FHIR scopes, sync model, data minimization, network egress, replay provenance |
| OUT_OF_SCOPE | Customer Epic client IDs, private signing PEM, internal service topology, hospital-specific firewall rules |
| RUNTIME | Eligibility verdicts are deterministic. PHI never reaches an LLM. See Damaros Runtime. |
Research execution on approved cohorts
Damaros is trial-capable care infrastructure. Site-approved FHIR binds locked protocol logic to a defined cohort, evaluates eligibility deterministically, and preserves criterion-level evidence on one audit path.
Deterministic core. Versioned protocol logic plus normalized clinical facts feed one eligibility engine. PASS, REVIEW, or FAIL at criterion granularity. No generative verdict on the screening path.
Trident compiles protocols. Luna makes every AI step inspectable. Neither issues eligibility verdicts.
FHIR sync to screening
| COHORT_ENTRY | GET Group/{id} resolves Epic-approved trial evidence list membership |
| PATIENT_BUNDLE | Patient-scoped searches for Observation, Condition, MedicationRequest, Procedure, AllergyIntolerance, DocumentReference metadata |
| SEARCH_DISCIPLINE | Epic-tuned searches per resource type. Not a full-chart bulk extract. |
| NORMALIZATION | Only contract-mapped structured fields persist for evaluation. Unmapped FHIR fields are discarded before screening. |
| BULK_EXPORT | Optional read-only bulk export where institution enables it. Same normalization and minimization rules apply. |
| PROVENANCE | Resource IDs, retrieval timestamps, and cohort snapshot ID attach to the replay bundle |
Backend Services token exchange
Production uses SMART on FHIR Backend Services. Damaros signs a short-lived JWT client assertion, posts it to Epic's token URL, and receives an access token. PKCE does not apply to Backend Systems. User-facing OAuth and browser token storage are not used for FHIR access.
| GRANT_TYPE | client_credentials |
| CLIENT_ASSERTION_TYPE | urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
| ASSERTION_TTL | exp within 300 seconds of iat; access token TTL from Epic; in-memory cache only |
| TOKEN_STORAGE | Server-side process memory only. Never in browsers, localStorage, or client bundles. |
| REQUIRED_CLAIMS | iss, sub (Epic client ID), aud (token URL), jti, iat, exp |
| HEADER | alg (RS384 default), kid matching published JWKS entry, typ JWT |
POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=client_credentials &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=<signed JWT>
// Header
{ "alg": "RS384", "kid": "epic-prod-2026-04", "typ": "JWT" }
// Payload (claims abbreviated)
{
"iss": "<Epic Backend Services client ID>",
"sub": "<Epic Backend Services client ID>",
"aud": "https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token",
"jti": "d7f3a1b2-4c8e-4f91-9a2d-1e6b0c8d4f2a",
"iat": 1748736000,
"exp": 1748736300
}
Integration architecture summary
| APPLICATION_AUDIENCE | Backend Systems (Epic-registered Backend Services app) |
| PRIMARY_OAUTH_MODEL | client_credentials + JWT client assertion to Epic token URL |
| FHIR_VERSION | R4 |
| AUTH_STANDARD | SMART on FHIR Backend Services (RFC 7523) |
| JWT_ALGORITHM | RS384 (override via deployment config if Epic requires) |
| COHORT_RESOLUTION | GET Group/{id} for Epic-approved trial evidence lists |
| DEFAULT_ACCESS | Read-only FHIR; no EHR write-back unless explicit env gates are set |
| EXECUTION_CHAIN | Protocol → Evidence → Screening → Replay on governed cohort snapshots |
| TRANSPORT | TLS 1.2+ for all FHIR and OAuth traffic |
Environment separation, JWKS hosting, and rotation
Epic validates Damaros client assertions against public keys published in JWKS documents. Private signing material never leaves secret stores. Public keys are the only cryptographic material exposed on the wire or in public JSON.
| NON_PRODUCTION | Separate Epic sandbox client ID, signing keypair, and JWKS URL |
| PRODUCTION | Independent Epic production client ID, signing keypair, and JWKS URL |
| JWKS_NONPROD_URL | https://www.damaros.ai/.well-known/jwks-nonprod.json |
| JWKS_PROD_URL | https://www.damaros.ai/.well-known/jwks-prod.json |
| JWKS_HOSTING | Public JWKS documents served over HTTPS from Damaros-controlled DNS and TLS |
| JWKS_CONTENT | Public RSA keys only: kty, use, alg, kid, n, e. No private material, no certificates unless required by registrar. |
| SECRET_STORAGE | Private signing PEM from secret manager or secure mount; never in git, CI logs, or client bundles |
| ASSERTION_KID | JWT header kid must match a published JWKS entry for the active environment |
| KEY_LENGTH | RSA 2048-bit minimum for new keypairs |
kid. (3) Confirm Epic resolves the new key. (4) Switch signing to new kid. (5) Retire prior public key after overlap window. Never remove the incumbent key before Epic confirms the successor.{
"keys": [{
"kty": "RSA",
"use": "sig",
"alg": "RS384",
"kid": "epic-prod-2026-04",
"n": "1tCLz4Y...TRUNCATED...lpUmU3w",
"e": "AQAB"
}]
}
{
"keys": [
{ "kid": "epic-prod-2026-04", "alg": "RS384", "..." },
{ "kid": "epic-prod-2026-10", "alg": "RS384", "..." }
]
}
Initial requested scopes
An OAuth floor of eight system/*.read scopes covers the per-patient eligibility bundle plus cohort membership via GET Group/{id}. No write scopes on first deployment. The connector never calls FHIR Binary; DocumentReference ingest keeps metadata only.
- system/Patient.readPatient resource for cohort binding and demographics used in deterministic rules
- system/Group.readResolve Epic cohort membership for approved trial evidence lists
- system/Observation.readLaboratory observations per Epic-tuned searches, not a full-chart extract
- system/Condition.readActive and problem-list context for inclusion or exclusion criteria
- system/MedicationRequest.readOutpatient medication orders for protocol-relevant criteria
- system/Procedure.readHistorical procedures referenced by criteria
- system/AllergyIntolerance.readAllergies via patient-scoped search only
- system/DocumentReference.readSearch, normalized to metadata only. No narrative content, no Binary follow-up.
| EXCLUDED | All write scopes, system/Binary.read, user-facing SMART scopes, offline refresh tokens in browsers |
| RATIONALE | Eligibility runs on structured fields the protocol maps. Narrative and attachment content are out of scope for deterministic screening. |
FHIR resource handling and minimization
| Patient | Demographics and identifiers needed for cohort binding and criterion evaluation. Stored per deployment retention policy. |
| Group | Cohort membership resolution only. Not used as a longitudinal record. |
| Observation | Structured lab and vital values mapped to protocol facts. Reference ranges and coded values preferred over free text. |
| Condition | Active and problem-list diagnoses mapped to protocol concepts. Uncoded text triggers REVIEW where mapping is ambiguous. |
| MedicationRequest | Outpatient orders relevant to inclusion or exclusion windows. |
| Procedure | Historical procedures referenced by criteria. |
| AllergyIntolerance | Structured allergy entries via patient-scoped search. |
| DocumentReference | Metadata only: type, date, status, identifiers. No Binary retrieval. No narrative body storage for screening. |
Clinical data boundary
- Evidence cohorts (Epic cohorts) are defined by approved protocol logic or institutional configuration.
- PHI is processed inside the institution-approved deployment boundary, with tenant isolation per the deploy contract.
- PHI never reaches an LLM. Criterion PASS / REVIEW / FAIL comes only from the deterministic engine on ingested FHIR. No patient identifiers or cohort-linked fields are serialized into any optional external request path.
- Helm deployments ship deny-by-default API egress
NetworkPolicywith explicit CIDR allowlists for Epic FHIR, OIDC, in-cluster Postgres/Redis, and DNS. - Screening outputs are criterion-level PASS, REVIEW, or FAIL with evidence references, never an ungrounded generative verdict.
- Sponsor and CRO visibility stays permissioned and de-identified by default. See Damaros Runtime for the full visibility model.
Audit, determinism, and replay
- Decisions are reproducible for a fixed protocol version, cohort snapshot, evidence snapshot, and
evaluation_as_of. - Every patient outcome is recorded at criterion level with PASS, FAIL, or REVIEW and a rationale.
- Protocol amendments link to versioned protocol IDs and engine versions.
- FHIR sync provenance (resource IDs, retrieval timestamps, cohort membership) attaches to the replay bundle.
- Replay classifies agreement or divergence between runs. No opaque "model decided" eligibility.
- Re-execution on the same snapshot produces identical criterion outcomes.
Security, privacy, and logging
- Signing keys and Epic access tokens are server-side secrets; FHIR traffic uses TLS.
- JWKS endpoints serve public key material only. Private PEM never appears in logs, JWKS JSON, or marketing bundles.
- Structured logs favor stable identifiers: request id, org id, trial id, non-PHI codes.
- Field-level exclusion lists omit free-text clinical narrative from default log templates.
- Access is role-based with organization and trial scope. Sessions are time-bound and attributable.
- Data at rest encryption and retention follow the deployment architecture and the customer BAA / DPA.
Epic app registration posture
Each deployment registers as a Backend Systems application in Epic App Orchard or the institution's equivalent process. Registration lists the JWKS URL, requested scopes, and Backend Services audience. Sandbox and production registrations remain separate.
| APP_TYPE | Backend Systems / confidential client with JWT assertion |
| JWKS_URI | Environment-specific URL registered with Epic |
| REDIRECT_URIS | Not used for Backend Services FHIR access |
| WRITE_APIS | Not requested on initial deployment |
| BINARY | Not registered |
Validation to production cutover
Validation and production share the same eligibility engine, protocol compiler, and replay model. Sandbox FHIR credentials, JWKS URLs, and signing keys stay isolated from production. Retrospective validation runs produce replay artifacts that carry the same structure sponsors expect in live operations.
Cutover is a credential and environment swap, not a workflow rebuild. Integration teams verify token exchange, cohort resolution, scope coverage, and replay completeness in sandbox before production JWKS and client IDs are activated.
- Sandbox token exchange and FHIR read smoke tests against approved test cohort.
- Scope and search coverage review against locked protocol evidence requirements.
- Replay bundle completeness check on sample patients including REVIEW and FAIL paths.
- JWKS rotation drill in sandbox before production key lifecycle events.
Related documents
- Damaros Runtime
- Platform privacy and data handling
- Public website privacy notice (covers public JWKS hosting)
- Customer BAA / DPA and deployment security addendum (provided under contract)