Glossary

Project-specific terminology used across the Orion CLI and marketplace docs. Italicized terms link to other entries in this glossary.

App Bridge

The system that connects your iframe app to the host EMR's UI shell — toasts, navigation, modals, form-field reads/writes, and reads of the current context (patient, encounter, user). Backed by an App Bridge JWT obtained via POST /api/app-bridge/token. Distinct from SMART on FHIR (different token, different endpoint), but gated by the same SMART scope vocabulary.

App Bridge JWT

The HS256-signed session token the host issues for cross-origin iframe communication. Carries sub, app_id, tenant_id, granted permissions[], iat, exp. TTL is host-configured (APP_BRIDGE_TOKEN_TTL, default 3600s). The bridge auto-refreshes via getSessionToken() when fewer than APP_BRIDGE_TOKEN_REFRESH_THRESHOLD seconds (default 300) remain — your app code never reads or stores it directly.

Bearer token

OAuth2 access token. Used in two places: (1) the developer/CLI bearer token stored locally after orion login (Passport-issued, scope develop:apps); (2) the SMART-on-FHIR bearer token your installed app sends to FHIR REST endpoints, scoped per the manifest's scope[].

Bundle

The compiled JS artifact in dist/index.js that ships to the marketplace and gets loaded by the host EMR at runtime.

clientId

The public OAuth client identifier in orion.config.ts, generated by the Developer Portal when the app entry is created — not a secret.

Developer Portal

The web UI inside a tenant where developers manage their app entries, scopes, and reviewer interactions.

Extension

A manifest-declared mount point — page, block, widget, action, or nav — that hooks your code into a specific host EMR surface.

FHIR

The HL7 R4 healthcare data spec; the host EMR exposes patient/encounter/observation/etc data via a FHIR REST API.

Home tenant

The production-like Orion tenant where your developer account lives and where orion publish uploads. See Host vs Sandbox.

Host EMR

A tenant's running Orion EMR, where users see your installed app rendered in iframes.

Manifest

The orion-app.json file declaring app metadata, scopes, and extension catalogs. See Manifest schema.

Marketplace

The catalog where Orion tenants discover and install apps; receives published bundles and manifests via orion publish.

OAuth client

The OAuth client your tenant administrator registers on your behalf. It issues bearer tokens the CLI uses, and it's identified by clientId.

`permissions_required`

The API-response serialization of the manifest's SMART scope[] array (e.g. user/Patient.read). Returned by the developer API on apps list, apps info, and versions show payloads. The CLI prints these under the scopes_required: label in apps info and versions show output. The same scope set is enforced by both auth systems — the OAuth2 token issued for FHIR REST and the App Bridge JWT issued for iframe actions both check the granted scopes from this list.

PKCE

The OAuth2 flow extension the CLI uses for authorization-code login, so no client secret is stored.

Sandbox tenant

A scratch tenant that orion dev tunnels into for live-reload testing, separate from the home tenant. See Host vs Sandbox.

Scope

A SMART-on-FHIR scope declared in the manifest's scope[] array. Two shapes: launch-context scopes (openid, fhirUser, launch, launch/patient, launch/encounter, offline_access) and resource scopes of the form {patient,user,system}/{Resource}.{read,write} (e.g. user/Patient.read). The same vocabulary gates both auth surfaces: SMART tokens passed to FHIR REST, and App Bridge JWTs passed with bridge actions. The host previously had a separate 11-string bridge-permission vocabulary (read:patients, write:documents, …); those now exist only as legacy aliases for SMART scopes (in AppPermissionRegistry::LEGACY_ALIASES) and only for the deprecated GraphQL @appPermission directive — new manifests should declare SMART scopes directly.

SMART on FHIR

The OAuth2 + FHIR profile the host EMR uses to grant clinical data access, with tokens scoped per FHIR resource.

`tenantUuid`

The UUID of your home tenant, embedded in orion.config.ts. orion init writes an empty placeholder; the value is filled in when you run orion config host or orion config sandbox, both of which call the configured tenant for its UUID and persist the result.

Tenant

A single Orion EMR deployment instance; one tenant per organization in production.

Tunnel

A Cloudflare-managed HTTPS tunnel (via the bundled cloudflared binary) that exposes your local Vite dev server so the host EMR's iframe can reach it.

Glossary ​

App Bridge ​

App Bridge JWT ​

Bearer token ​

Bundle ​

clientId ​

Developer Portal ​

Extension ​

FHIR ​

Home tenant ​

Host EMR ​

Manifest ​

Marketplace ​

OAuth client ​

permissions_required ​

PKCE ​

Sandbox tenant ​

Scope ​

SMART on FHIR ​

tenantUuid ​

Tenant ​

Tunnel ​