WSO2 Healthcare: Achieving G10 Certification with Ease

Introduction

The push for digital health innovation and patient-centered care has driven major updates to the ONC Health IT Certification Program. One of the most impactful updates is G10 certification (G10), a requirement that ensures health IT systems offer standardized, secure, and interoperable APIs based on FHIR and SMART on FHIR specifications.

G10 is a critical compliance requirement under the 21st Century Cures Act Final Rule, issued by the Office of the National Coordinator for Health IT (ONC). It mandates that certified health IT systems expose FHIR R4-based APIs using SMART on FHIR protocols, enabling secure, standards-based access to patient and population health data.

The core objective of G10 is to enhance interoperability, patient empowerment, and third-party app integration—ultimately improving patient care delivery through open data access. As healthcare systems rapidly digitize, G10 compliance is no longer optional for vendors who want to stay relevant and eligible for federal programs.

This blog covers:

• What G10 entails and why it matters now
• The G10 compliance deadline and its implications
• Key authorization flows and resource access patterns
• How WSO2 Accelerator for Healthcare, with Asgardeo and Devant, helps you achieve G10 Certification
• Test kit support and version compatibility

G10 Compliance Deadline: December 31, 2025

The ONC has set December 31, 2025, as the deadline for mandatory G10 certification. Vendors who fail to comply by this date will lose their ONC-certified status, directly impacting their ability to provide Health IT Modules to healthcare providers and hospitals participating in federal incentive programs.

If you haven’t already begun preparing for G10, now is the time to act.

Overview

G10, defined under §170.315(g)(10), introduces a standardized API requirement to support patient and population services through secure data exchange. Its key requirements include:

• Use of FHIR R4 US Core 3.1.1 profiles
• Authorization flows based on SMART App Launch 1.0.0
• Secure access via OAuth 2.0 and OpenID Connect (OIDC)
• Support for Bulk Data Export 1.0.1 for population-level data sharing

By enforcing consistency in API behavior across EHR systems, G10 unlocks better data portability, third-party app integration, and research capabilities, while aligning the ecosystem to ONC’s broader goals of interoperability and information transparency.

SMART Authorization and FHIR Resource Access

A central aspect of G10 certification is the secure authorization of FHIR resource access using the SMART on FHIR framework. Here's a simplified view of how it works in a Standalone App Launch scenario:

1. Discovery: The app queries the EHR’s well-known and SMART configuration endpoints to learn the available OAuth 2.0 endpoints.
2. Authorization: The user is redirected to the EHR’s authorization server to log in and grant consent.
3. Token Exchange: The app receives an authorization code, which it exchanges at the token endpoint for access and refresh tokens.
4. Data Access: The app uses the token to access FHIR R4 resources securely from the EHR system.

The general standalone app launch sequence of G10 is as follows.

Figure 1: SMART Authorization Flow

SMART on FHIR Discovery

To comply with the SMART on FHIR App Launch Framework, an EHR authorization server must expose specific metadata endpoints. These include the SMART configuration endpoint and the OAuth 2.0 well-known configuration endpoint, which advertise the server's capabilities and the URLs for OAuth 2.0 authorization and token endpoints. As part of the G10 flow, when a user selects an application, the app first queries these endpoints to discover the required OAuth endpoints. This discovery process is a fundamental step that enables SMART apps to initiate secure authorization requests against the EHR system.

Standalone Launch Flow

In the standalone launch sequence, the application initiates an OAuth 2.0 authorization request with the required launch context and scopes. The EHR authorization server authenticates the user and requests consent for the app to access their health data. Upon successful consent, the server returns an authorization code to the app's redirect URI, along with the original state parameter for validation.

The app then exchanges this authorization code at the token endpoint to obtain an access token, which it can use to access FHIR resources. G10 compliance mandates that both the authorize and token endpoints are secured using TLS. Additionally, the token response must follow SMART and OAuth specifications, including support for refresh tokens as defined in the OAuth 2.0 Authorization Framework.

OpenID Connect (OIDC) Support

G10-compliant authorization servers must also support OpenID Connect (OIDC) and issue a valid ID token containing standard OIDC claims, including the required fhirUser claim. This signed ID token provides the app with information about the authenticated user and plays a crucial role in authorization decisions.

Furthermore, G10 certification verifies additional requirements such as:

• Support for both public and confidential clients
• Token revocation mechanisms
• EHR launch flows for confidential SMART apps
• Validations to ensure backend services are properly integrated and functional

The Complexity of G10 Compliance

Achieving G10 compliance involves coordinating OAuth 2.0, OpenID Connect, and FHIR R4 standards into a seamless, secure authorization flow. While the specifications may seem straightforward, implementing them from scratch is complex and time-consuming without the right tools and platforms. It requires deep expertise in:

• OAuth 2.0 authorization and token lifecycle management
• OpenID Connect ID token customization and validation
• FHIR R4 API modeling and resource validation
• Security best practices including TLS, consent handling, and auditing
• Compatibility with the Inferno G10 Test Kit

Without a purpose-built solution, this complexity can significantly delay certification, introduce security risks, and increase engineering effort.

How WSO2 Accelerator for Healthcare Helps

Figure 2: High Level Component Diagram for WSO2 G10

WSO2 Healthcare simplifies the G10 certification process by providing a ready-to-use solution for implementing compliant FHIR APIs and authorization workflows. It includes:

• Built-in support for US Core 3.1.1 FHIR profiles
• Full implementation of SMART App Launch 1.0.0
• Secure OAuth 2.0 and OIDC integration via Asgardeo
• Support for Bulk Data Access 1.0.1
• Fine-grained scope-based authorization and access auditing
• Seamless integration capabilities via Devant

G10 Test Coverage:

WSO2 Accelerator for Healthcare has been fully validated against the official Inferno G10 Test Kit, including:

• Standalone and EHR launch flows
• Access to protected FHIR resources
• ID token issuance and claims validation
• Token revocation and refresh
• Bulk data access

The Role of Asgardeo and Devant

WSO2's cloud platforms (Asgardeo and Devant) play a critical role in enabling fast and scalable G10 compliance.

Asgardeo – Identity and Access Management as a Service

• Fully manages OAuth 2.0 and OpenID Connect workflows
• Issues ID tokens with required SMART claims (e.g., fhirUser)
• Supports confidential/public apps and multi-tenant environments
• Built-in support for refresh tokens, token introspection, and consent

Devant – Integration and API Management as a Service

• Facilitates seamless connection to FHIR-compliant backends
• Provides low-code orchestration and API transformation capabilities
• Supports secure deployment pipelines and observability for APIs

Together, they abstract the technical complexity of G10 while offering scalability, security, and operational efficiency.

Why Choose WSO2 for G10 Compliance?

WSO2 offers the most comprehensive, modular, and cloud native platform for achieving and maintaining G10 certification.

✅ Inferno test kit validation
✅ Pre-built FHIR and SMART API components
✅ Developer-friendly configuration and tooling
✅ Flexible deployment—cloud, hybrid, or on-prem
✅ Faster time to certification with lower operational overhead

With WSO2, you can focus on building healthcare innovations while we take care of compliance.

Get Started Today

WSO2 Healthcare, in combination with Asgardeo and Devant, offers everything you need to achieve G10 certification—quickly, securely, and with confidence.

We’ll help you assess readiness, plan your integration, and guide you through testing and deployment.

Glossary