Motivation

Form Lab exists to make standards-based healthcare app development accessible and practical. Its goals are:

1. Easy Local Experimentation with SMART on FHIR
   Developing SMART-on-FHIR apps is challenging because production-like setups require DNS names and valid SSL/TLS certificates. Form Lab simplifies this by enabling localhost-based workflows for early development and testing, avoiding the complexity of DNS and certificates.

2. Easy Local Experimentation with SDC
   Structured Data Capture (SDC) often depends on SMART-on-FHIR for user context and authentication, which introduces OAuth flows and token management. Form Lab provides a lightweight environment that supports the SMART launch sequence without full security overhead, making SDC prototyping fast and approachable.

3. Open Source: Standards, Not Products
   Form Lab is built around open standards like SMART on FHIR and HL7 SDC to ensure transparency, interoperability, and community-driven innovation.

Why SMART-on-FHIR Development Is Hard

Building a SMART-on-FHIR application isn’t just writing code—it requires orchestrating multiple components for secure communication. Production scenarios demand DNS names and trusted SSL/TLS certificates.

SMART-on-FHIR apps typically operate in two modes:

• Localhost Mode
  Ideal for early development and testing without DNS or certificates.

• DNS + Certificates Mode
  Required for realistic deployments with secure, standards-compliant communication.

Why These Limitations Exist

This challenge arises because the Web Crypto API, specifically crypto.subtle, is only available in secure contexts. A secure context means:

• HTTPS for web apps served over the network.
• localhost or 127.0.0.1 for local development.

When your SMART-on-FHIR app tries to generate a PKCE challenge (via generatePKCEChallenge), it uses crypto.subtle.digest. For security reasons, this API is restricted to secure contexts to prevent cryptographic operations from being exposed in insecure environments.

References: - Web Crypto API – MDN - Secure Contexts – W3C - RFC7636

How Formlab Helps

Form Lab abstracts away these complexities through a proxy-based approach:

• Accepts SMART-on-FHIR secured calls (maintaining API compatibility)
• Strips security requirements at the proxy layer
• Sends standard FHIR calls to the backend

This lets developers:

• Experience full SMART and SDC workflows
• Render and test forms
• Prototype quickly without security barriers
• Learn the standards before implementing production-grade security

When ready for production, replace the proxy with proper SMART-on-FHIR security.

Learn More

• SMART on FHIR Documentation
• HL7 FHIR Structured Data Capture (SDC) Implementation Guide
• FHIR Questionnaire Resource
• FHIR QuestionnaireResponse Resource