FHIR R4 Provider Directory API
Fonteum exposes its federated healthcare provider graph as a standards-conformant FHIR R4 API. US Core 6.1.0, Da Vinci PDex, Bulk Data Access ($export), and SMART Backend Services auth — all backed by 14-tuple field-level provenance on every resource.
NPPES + PECOS + Care Compare + HRSA — served as FHIR.
The Fonteum FHIR R4 endpoint gives EHRs, payer platforms, and analytics tools a single HL7-canonical interface to the fullFonteum provider graph — 7M+ NPI records from NPPES, facility data from CMS Care Compare (nursing homes, hospice, home health, dialysis), HRSA HPSA designations, OIG LEIE exclusion flags, and CMS QPP MIPS performance scores. Every field carries source, date, and limitation metadata.
Conformance levels:
- US Core 6.1.0 — ONC-mandated baseline for provider directory interoperability. 5 distinct USCDI v3 Provider resources declared in the CapabilityStatement.
- Da Vinci PDex Provider Directory — CMS Interoperability and Patient Access Final Rule (45 CFR §156.221). Payer network exposure via
/fhir/r4/pdex/. - FHIR Bulk Data Access v2.0.0 — Async system-level
$exportreturning NDJSON with per-resource provenance tags. - SMART Backend Services — client_credentials flow with signed JWT for authenticated access and bulk export.
One base URL. All resources, all profiles.
All FHIR R4 endpoints are served under:
https://mcp.fonteum.com/fhir/r4
The CapabilityStatement at https://mcp.fonteum.com/fhir/r4/metadata is the authoritative discovery document — it enumerates every supported resource, search parameter, and operation. Da Vinci PDex-profiled endpoints live under https://mcp.fonteum.com/fhir/r4/pdex/. The legacy base at https://fonteum.com/api/fhir remains available for backwards compatibility (e.g. https://fonteum.com/api/fhir/Practitioner, https://fonteum.com/api/fhir/Organization). All responses use Content-Type: application/fhir+json. Errors return FHIR-canonical OperationOutcome resources — not generic JSON error envelopes.
5 distinct USCDI v3 Provider resources. Source-backed.
Each resource is backed by one or more Fonteum federal source families. The logical id scheme and source family determine which identifier system to use when constructing read URLs.
| Resource | Logical id | Source family | Notes |
|---|---|---|---|
Practitioner | NPI (10-digit) | NPPES, CMS PECOS PPEF, CMS QPP MIPS | Identifier system: http://hl7.org/fhir/sid/us-npi |
Organization | CCN (6-char) | CMS Care Compare (Nursing Home, Hospice, Home Health, Dialysis), CMS POS iQIES | Identifier system: http://hl7.org/fhir/sid/us-ccn |
PractitionerRole | prr-{NPI}-{CCN|solo} | NPPES + CMS Care Compare (join) | Links a Practitioner to an Organization at a Location.solo when no facility affiliation. |
Location | {sourceType}-{sourceKey} | NPPES (npi-prefixed), CMS Care Compare (ccn-prefixed), HRSA HPSA (hpsa-prefixed) | sourceType ∈ {ccn, npi, hpsa} |
HealthcareService | hs-{NPI} | NPPES taxonomy codes, HRSA HPSA | NUCC provider taxonomy → FHIR specialty mapping. Methodology pinned at us-core-healthcare-service/v1. |
All resources expose full search parameter sets. See /api/fhir/metadata for the authoritative parameter list per resource type.
Async $export. NDJSON. 14-tuple provenance on every line.
The $export operation implements the HL7 FHIR Bulk Data Access v2.0.0 implementation guide. A POST to https://mcp.fonteum.com/fhir/r4/$export returns HTTP 202 with a Content-Location status URL. Poll the status URL until "status": "completed", then download the NDJSON output files.
- Format: NDJSON — one FHIR resource JSON object per line,
application/fhir+ndjsoncontent type. - Provenance: Every NDJSON line carries the same 14-tuple
meta.tagcontract as single-resource reads — source_id, snapshot_date, ingestion_run_id, methodology_version, license_spdx, and nine additional governance tags. - Scope filters:
_typelimits the export to specific resource types._sincelimits to resources updated after an ISO-8601 instant. - Auth required: SMART Backend Services JWT (client_credentials flow) is required for all $export requests.
- Concurrency: 1 active job per
client_id. Additional requests return HTTP 429 until the active job completes or is cancelled.
# Initiate a system-level $export (requires SMART Backend Services JWT) curl -sX POST \ -H "Authorization: Bearer <signed-jwt>" \ -H "Accept: application/fhir+json" \ -H "Prefer: respond-async" \ "https://mcp.fonteum.com/fhir/r4/\$export?_type=Practitioner,Organization" \ -I | grep -i content-location # → Content-Location: https://mcp.fonteum.com/fhir/r4/$export/status/<job-id> # Poll export status curl -sH "Authorization: Bearer <signed-jwt>" \ "https://mcp.fonteum.com/fhir/r4/\$export/status/<job-id>" | jq '.status' # → "completed" # Response includes output[] array of NDJSON file URLs
Anon reads. SMART Backend Services for $export.
The API has two auth tiers:
- Anonymous (read-only): All GET endpoints accept unauthenticated requests up to the anon rate limit (60 req/min/IP). Pass the public key in the
X-Fonteum-Public-Keyheader to identify your client and receive a higher rate limit bucket:X-Fonteum-Public-Key: <MCP_PUBLIC_KEY>. - SMART Backend Services (client_credentials): Required for
$exportand for sustained read workloads above the anon limit. Generate a client assertion JWT signed with your registered RSA-2048 or ES384 private key, exchange it for a Bearer token at the token endpoint, then passAuthorization: Bearer <token>on each request.
Token endpoint and JWKS registration URL are in the SMART configuration document:
# Retrieve the CapabilityStatement (no auth required) curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/metadata" | jq '.fhirVersion' # → "4.0.1" # SMART on FHIR discovery curl -s "https://mcp.fonteum.com/fhir/r4/.well-known/smart-configuration" | jq '.token_endpoint'
Bearer tokens are short-lived (15 minutes). Rotate them using the client_credentials grant before expiry. The .well-known/smart-configuration endpoint is public and returns the token endpoint URL and supported scopes (system/*.read, system/$export).
curl — the minimal client for every endpoint.
Practitioner — search by NPI identifier
# Read a Practitioner by NPI (identifier token search) curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/Practitioner?identifier=http://hl7.org/fhir/sid/us-npi|1245319599" \ | jq '.entry[0].resource.resourceType' # → "Practitioner" # Read a single Practitioner by logical id curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/Practitioner/1245319599" | jq '.name[0].family' # → "SMITH" # Search by family name curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/Practitioner?family=Smith&_count=20" | jq '.total'
Organization — search by name
# Search Organizations by name curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/Organization?name=Mercy+General" | jq '.entry[0].resource.name' # → "MERCY GENERAL HOSPITAL" # Filter by state curl -sH "Accept: application/fhir+json" \ "https://mcp.fonteum.com/fhir/r4/Organization?address-state=CA&_count=20" | jq '.total'
Bulk $export — initiate and poll
# Initiate a system-level $export (requires SMART Backend Services JWT) curl -sX POST \ -H "Authorization: Bearer <signed-jwt>" \ -H "Accept: application/fhir+json" \ -H "Prefer: respond-async" \ "https://mcp.fonteum.com/fhir/r4/\$export?_type=Practitioner,Organization" \ -I | grep -i content-location # → Content-Location: https://mcp.fonteum.com/fhir/r4/$export/status/<job-id> # Poll export status curl -sH "Authorization: Bearer <signed-jwt>" \ "https://mcp.fonteum.com/fhir/r4/\$export/status/<job-id>" | jq '.status' # → "completed" # Response includes output[] array of NDJSON file URLs
For Python (fhirclient), JavaScript (fhirpath), and R examples, see the full code samples section below, or the legacy bulk export reference.
14-tuple per field. Source, date, limitation — always.
Fonteum’s core trust contract: every rendered fact ties to a provider_field_provenance row in the database, which itself ties to a data_sources row. In FHIR resources, this contract is projected onto meta.tag as a set of Coding entries under the https://fonteum.com/fhir/CodeSystem/provenance-tag system.
The 14-tuple tags carried on every resource:
| Tag code | Description |
|---|---|
source_id | Fonteum source family slug (e.g. cms-nppes, cms-care-compare) |
snapshot_date | ISO-8601 date of the ingested upstream snapshot |
ingestion_run_id | UUID of the ingestion_runs row — reproducible |
field_name | Canonical field name (e.g. name.family, address.city) |
raw_value_hash | SHA-256 of the raw upstream value before normalization |
methodology_version | Pinned methodology version string (e.g. us-core-practitioner/v1) |
license_spdx | SPDX license identifier (US-Government-Works or CC-BY-4.0) |
jurisdiction | CMS jurisdiction or NPPES region code |
refresh_cadence | Expected refresh frequency (daily, weekly, monthly, quarterly) |
limitation | Known limitation or caveat for this field |
displayable | Boolean — whether the field passes provider_field_displayable view |
witness_signature | Ed25519 co-signature reference (snapshot_witness_signatures) |
cite_url | Canonical citation URL for this snapshot |
verify_url | SHA-256 hash-match endpoint (/verify/<snapshot-id>) |
Full specification: /docs/provenance-contract. Integrity attestations (Ed25519 co-signatures per snapshot) are publicly readable at /trust/integrity.
60 req/min anon. 600 req/min authenticated.
| Tier | Limit | Scope |
|---|---|---|
| Anonymous | 60 req / min | Per IP address |
| Public key (MCP_PUBLIC_KEY) | 300 req / min | Per key |
| SMART Backend Services (JWT Bearer) | 600 req / min | Per client_id |
| $export concurrency | 1 active job | Per client_id |
Requests above the limit receive HTTP 429 with a Retry-After header (seconds until the next window). Rate limit headers on every response:
X-RateLimit-Limit— limit for the current tierX-RateLimit-Remaining— requests remaining in the current windowX-RateLimit-Reset— Unix timestamp when the window resets
SLA:The FHIR endpoint targets 99.9% uptime, measured monthly. Bulk $export jobs targeting the full Practitioner resource set (>7M records) complete within 30 minutes under normal load. Status pages and incident history: /trust.
For sustained workloads above the authenticated tier, contact /pilot-intake to discuss an enterprise SLA.
Related documentation.
- /api/fhir/metadata — live CapabilityStatement (US Core 6.1.0, 5 resources)
- /docs/provenance-contract — full 14-tuple provenance contract specification
- /docs/bulk-export — gzipped CSV bulk download surface (alternative to $export)
- /docs/researcher-api — REST API for research queries and dataset access
- /data-catalog — DCAT-US 3.0 dataset catalog
- /trust/integrity — SHA-256 snapshot attestations + Ed25519 co-signatures
- /cite — citation guidance + BibTeX templates
Common developer questions.
Do I need authentication to access the API?
No. All GET endpoints support anonymous access up to 60 requests per minute per IP. Pass X-Fonteum-Public-Key: <MCP_PUBLIC_KEY> to lift the limit to 300 req/min. SMART Backend Services JWT auth (600 req/min) is required only for $export.
Which FHIR implementation guides does Fonteum conform to?
US Core 6.1.0 (ONC-mandated baseline), Da Vinci PDex Provider Directory (CMS Interoperability Final Rule 45 CFR §156.221), and the HL7 FHIR Bulk Data Access v2.0.0 IG for $export.
How is field-level provenance encoded in FHIR resources?
Every resource carries a 14-tuple provenance contract in meta.tag as Coding entries under the Fonteum provenance CodeSystem URI. Tags include source_id, snapshot_date, ingestion_run_id, methodology_version, license_spdx, and nine additional governance fields. See /docs/provenance-contract for the full spec.
What is the rate limit for the FHIR API?
Anonymous: 60 req/min/IP. Public key: 300 req/min/key. SMART Backend Services JWT: 600 req/min/client_id. Bulk $export: 1 concurrent job per client_id. Sustained enterprise workloads: contact /pilot-intake.