// the find
bluehalo/node-fhir-server-core
An Open Source secure REST implementation for the HL7 FHIR Specification. For API documentation, please see https://github.com/Asymmetrik/node-fhir-server-core/wiki.
A Node.js framework for standing up HL7 FHIR REST servers, supporting DSTU2, STU3, and R4 simultaneously. You provide the data layer (MongoDB adapter included as a separate repo); the framework handles routing, capability statements, SMART on FHIR scope enforcement, and request sanitization. Aimed at health IT shops that need to expose EHR data via a standard API without building all the FHIR plumbing from scratch.
Multi-version support (DSTU2/STU3/R4) from a single server config is genuinely useful in healthcare where you rarely control what version clients speak. The plugin architecture is the right call — you write a service module per resource type and the framework wires it in, so you're not subclassing anything or fighting the framework to add your own DB. The fhir-sanitize-param and fhir-json-schema-validator packages being split out as independent modules means you can use them even if you don't adopt the full server. The ONC FHIR Secure API Server Showdown participation and public vulnerability issue tracking is a credible signal that security was actually tested, not just claimed.
The last real push was early 2026 but the Travis CI badge and Node >7.6 prerequisites in the README are years stale — R5 isn't mentioned anywhere, which is now the current FHIR release and required for many new US payer mandates. The plugin model means zero business logic is included; every resource's search parameters, query translation, and persistence is on you, so the 'getting started' story is actually 'stand up a MongoDB instance and write hundreds of service methods'. The fhir-qb query builder packages have thin test coverage and the SQL adapter looks largely incomplete. SMART on FHIR scope enforcement exists but auth integration is still passport-based middleware you configure yourself — there's no turnkey OAuth2/SMART server included, which is table stakes for most real deployments.