Dev note: HFS FHIR (8080) and the Payer/Integrity services accept requests without auth. Login
matters for /auth/userinfo and /admin/*, and to see the role each account carries.
| Persona | Typical actions | Key endpoints |
|---|---|---|
| Patient | Log in, book appointment, view own chart/insurance | POST /auth/api/login · POST /Appointment |
| Receptionist | Register, verify insurance/eligibility, collect copay | GET /Coverage?beneficiary= · POST /api/eligibility |
| Doctor | Encounter, document, prescribe, code the visit | POST /Encounter · POST /Observation · POST /MedicationRequest |
| Admin / Biller | Build + submit claim, read EOB, record copay, manage users | POST /api/claims · GET /ClaimResponse/{id} · GET /admin/users |
| Payer (separate) | Adjudicate, run integrity, write EOB | POST /api/eligibility · POST /api/check |
The EMR (:3000) is a React app that calls the FHIR DB (:8080) directly with
the logged-in user's Bearer token. So every EMR action is a FHIR call, and what the same call is allowed to do
is decided by the OAuth scope the auth server mints for the role (auth-server/server.js ·
scopeForRole). Section 3 lists these per-role actions under the EMR · <role> groups.
| Role | EMR menu / screens | Token scope (what FHIR allows) |
|---|---|---|
| Admin | Invoices · Services · Encounters · Patients · Book Appointment · Practitioners · Questionnaires · Forms · Revenue Cycle · Magic Search | system/*.cruds — full read/write on everything |
| Doctor (practitioner) | Encounters · Patients · Book Appointment · Questionnaires · Forms · Revenue Cycle (code/draft — cannot submit) | user/*.cruds — read/write clinical resources |
| Receptionist | Patients · Scheduling · Book Appointment · Invoices · Medications · Prescriptions · Insurance tab (eligibility/copay). No Revenue Cycle back office. | Patient.crus · Appointment.cruds · Practitioner/Schedule/Slot.rs |
| Patient | My chart · Book Appointment · My Invoices (own data only) | patient/*.rs — read/search own record only |
Note: HFS (8080) runs with auth disabled in dev, so these calls succeed regardless of token — the scope
column is what governs them once the Docker/Postgres stack enforces auth. Revenue-cycle fine-grained rights live in
fhir-emr/src/services/revenue-cycle/permissions.ts (admin submits; doctor codes but doesn't submit; reception/patient excluded).
patient-local / cov-patient-local).This turns the catalog above into a tool manifest. Each endpoint becomes one MCP tool (name, description, HTTP method, URL template, example body). Drop it into a thin MCP server that forwards to these URLs, connect it in Claude Desktop, and you can say "check eligibility for patient-local" or "submit a claim for encounter X to BlueShield" and Claude drives the stack.