When performing SMART on FHIR requests, the server is typically configured to allow unsecured anonymous access to the capabilities (/metadata) endpoint. All other requests should require an access token to be supplied by the client in an Authorization header using the following format:
Authorization: Bearer [access_token]
By default, FHIR Endpoint modules will reject unauthorized calls with the following logic:
If no Authorization header is supplied for a request that requires one, the server will respond with HTTP 401 Unauthorized
If an Authorization header is supplied for a request that requires one, but it is invalid or has expired, the server will respond with HTTP 401 Unauthorized
If an Authorization header is supplied and is valid, but does not have sufficient permission to perform the requested operation the server will respond with HTTP 403 Forbidden.
If the Reject Insufficient Permissions with HTTP 401 setting has been enabled on the FHIR Endpoint module, all scenarios will result in an HTTP 401 Unuthorized instead.