@medplum/core 2.0.21 → 2.0.23

package/dist/esm/client.mjs

@@ -1,17 +1,17 @@
+import { encodeBase64 } from './base64.mjs';
 import { LRUCache } from './cache.mjs';
 import { getRandomString, encryptSHA256 } from './crypto.mjs';
 import { EventTarget } from './eventtarget.mjs';
 import { parseJWTPayload } from './jwt.mjs';
-import { OperationOutcomeError, notFound, normalizeOperationOutcome, isOk } from './outcomes.mjs';
+import { OperationOutcomeError, notFound, normalizeOperationOutcome, isOk, badRequest } from './outcomes.mjs';
 import { ReadablePromise } from './readablepromise.mjs';
 import { ClientStorage } from './storage.mjs';
 import { globalSchema, indexStructureDefinition, indexSearchParameter } from './types.mjs';
 import { createReference, arrayBufferToBase64 } from './utils.mjs';
-import { encodeBase64 } from './base64.mjs';
 
 // PKCE auth based on:
 // https://aws.amazon.com/blogs/security/how-to-add-authentication-single-page-web-application-with-amazon-cognito-oauth2-implementation/
-const MEDPLUM_VERSION = "2.0.21-87271fa1" ;
+const MEDPLUM_VERSION = "2.0.23-b244eeae" ;
 const DEFAULT_BASE_URL = 'https://api.medplum.com/';
 const DEFAULT_RESOURCE_CACHE_SIZE = 1000;
 const DEFAULT_CACHE_TIME = 60000; // 60 seconds
@@ -98,7 +98,6 @@ var OAuthTokenType;
  *  <head>
  *    <meta name="algolia:pageRank" content="100" />
  *  </head>
-
  */
 class MedplumClient extends EventTarget {
     constructor(options) {
@@ -151,6 +150,16 @@ class MedplumClient extends EventTarget {
     getBaseUrl() {
         return this.baseUrl;
     }
+    /**
+     * Returns the current authorize URL.
+     * By default, this is set to `https://api.medplum.com/oauth2/authorize`.
+     * This can be overridden by setting the `authorizeUrl` option when creating the client.
+     * @category HTTP
+     * @returns The current authorize URL.
+     */
+    getAuthorizeUrl() {
+        return this.authorizeUrl;
+    }
     /**
      * Clears all auth state including local storage and session storage.
      * @category Authentication
@@ -165,12 +174,14 @@ class MedplumClient extends EventTarget {
      * @category Authentication
      */
     clearActiveLogin() {
+        if (this.basicAuth) {
+            return;
+        }
         this.storage.setString('activeLogin', undefined);
         this.requestCache?.clear();
         this.accessToken = undefined;
         this.refreshToken = undefined;
-        this.profile = undefined;
-        this.config = undefined;
+        this.sessionDetails = undefined;
         this.dispatchEvent({ type: 'change' });
     }
     /**
@@ -210,7 +221,6 @@ class MedplumClient extends EventTarget {
      * This is a lower level method for custom requests.
      * For common operations, we recommend using higher level methods
      * such as `readResource()`, `search()`, etc.
-     *
      * @category HTTP
      * @param url The target URL.
      * @param options Optional fetch options.
@@ -250,7 +260,6 @@ class MedplumClient extends EventTarget {
      * This is a lower level method for custom requests.
      * For common operations, we recommend using higher level methods
      * such as `createResource()`.
-     *
      * @category HTTP
      * @param url The target URL.
      * @param body The content body. Strings and `File` objects are passed directly. Other objects are converted to JSON.
@@ -275,7 +284,6 @@ class MedplumClient extends EventTarget {
      * This is a lower level method for custom requests.
      * For common operations, we recommend using higher level methods
      * such as `updateResource()`.
-     *
      * @category HTTP
      * @param url The target URL.
      * @param body The content body. Strings and `File` objects are passed directly. Other objects are converted to JSON.
@@ -300,7 +308,6 @@ class MedplumClient extends EventTarget {
      * This is a lower level method for custom requests.
      * For common operations, we recommend using higher level methods
      * such as `patchResource()`.
-     *
      * @category HTTP
      * @param url The target URL.
      * @param operations Array of JSONPatch operations.
@@ -321,13 +328,12 @@ class MedplumClient extends EventTarget {
      * This is a lower level method for custom requests.
      * For common operations, we recommend using higher level methods
      * such as `deleteResource()`.
-     *
      * @category HTTP
      * @param url The target URL.
      * @param options Optional fetch options.
      * @returns Promise to the response content.
      */
-    delete(url, options = {}) {
+    delete(url, options) {
         url = url.toString();
         this.invalidateUrl(url);
         return this.request('DELETE', url, options);
@@ -338,53 +344,54 @@ class MedplumClient extends EventTarget {
      * This method is part of the two different user registration flows:
      * 1) New Practitioner and new Project
      * 2) New Patient registration
-     *
      * @category Authentication
      * @param newUserRequest Register request including email and password.
+     * @param options Optional fetch options.
      * @returns Promise to the authentication response.
      */
-    async startNewUser(newUserRequest) {
+    async startNewUser(newUserRequest, options) {
         const { codeChallengeMethod, codeChallenge } = await this.startPkce();
         return this.post('auth/newuser', {
             ...newUserRequest,
             codeChallengeMethod,
             codeChallenge,
-        });
+        }, undefined, options);
     }
     /**
      * Initiates a new project flow.
      *
      * This requires a partial login from `startNewUser` or `startNewGoogleUser`.
-     *
      * @param newProjectRequest Register request including email and password.
+     * @param options Optional fetch options.
      * @returns Promise to the authentication response.
      */
-    async startNewProject(newProjectRequest) {
-        return this.post('auth/newproject', newProjectRequest);
+    async startNewProject(newProjectRequest, options) {
+        return this.post('auth/newproject', newProjectRequest, undefined, options);
     }
     /**
      * Initiates a new patient flow.
      *
      * This requires a partial login from `startNewUser` or `startNewGoogleUser`.
-     *
      * @param newPatientRequest Register request including email and password.
+     * @param options Optional fetch options.
      * @returns Promise to the authentication response.
      */
-    async startNewPatient(newPatientRequest) {
-        return this.post('auth/newpatient', newPatientRequest);
+    async startNewPatient(newPatientRequest, options) {
+        return this.post('auth/newpatient', newPatientRequest, undefined, options);
     }
     /**
      * Initiates a user login flow.
      * @category Authentication
      * @param loginRequest Login request including email and password.
+     * @param options Optional fetch options.
      * @returns Promise to the authentication response.
      */
-    async startLogin(loginRequest) {
+    async startLogin(loginRequest, options) {
         return this.post('auth/login', {
             ...(await this.ensureCodeChallenge(loginRequest)),
             clientId: loginRequest.clientId ?? this.clientId,
             scope: loginRequest.scope,
-        });
+        }, undefined, options);
     }
     /**
      * Tries to sign in with Google authentication.
@@ -392,14 +399,15 @@ class MedplumClient extends EventTarget {
      * See: https://developers.google.com/identity/gsi/web/guides/handle-credential-responses-js-functions
      * @category Authentication
      * @param loginRequest Login request including Google credential response.
+     * @param options Optional fetch options.
      * @returns Promise to the authentication response.
      */
-    async startGoogleLogin(loginRequest) {
+    async startGoogleLogin(loginRequest, options) {
         return this.post('auth/google', {
             ...(await this.ensureCodeChallenge(loginRequest)),
             clientId: loginRequest.clientId ?? this.clientId,
             scope: loginRequest.scope,
-        });
+        }, undefined, options);
     }
     /**
      * Returns the PKCE code challenge and method.
@@ -430,6 +438,7 @@ class MedplumClient extends EventTarget {
      * This may result in navigating away to the sign in page.
      * @category Authentication
      * @param loginParams Optional login parameters.
+     * @returns The user profile resource if available.
      */
     async signInWithRedirect(loginParams) {
         const urlParams = new URLSearchParams(window.location.search);
@@ -466,6 +475,7 @@ class MedplumClient extends EventTarget {
      * Exchange an external access token for a Medplum access token.
      * @param token The access token that was generated by the external identity provider.
      * @param clientId The ID of the `ClientApplication` in your Medplum project that will be making the exchange request.
+     * @returns The user profile resource.
      * @category Authentication
      */
     async exchangeExternalAccessToken(token, clientId) {
@@ -564,14 +574,13 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See FHIR search for full details: https://www.hl7.org/fhir/search.html
-     *
      * @category Search
      * @param resourceType The FHIR resource type.
      * @param query Optional FHIR search query or structured query object. Can be any valid input to the URLSearchParams() constructor.
      * @param options Optional fetch options.
      * @returns Promise to the search result bundle.
      */
-    search(resourceType, query, options = {}) {
+    search(resourceType, query, options) {
         const url = this.fhirSearchUrl(resourceType, query);
         const cacheKey = url.toString() + '-search';
         const cached = this.getCacheEntry(cacheKey, options);
@@ -605,14 +614,13 @@ class MedplumClient extends EventTarget {
      * The return value is the resource, if available; otherwise, undefined.
      *
      * See FHIR search for full details: https://www.hl7.org/fhir/search.html
-     *
      * @category Search
      * @param resourceType The FHIR resource type.
      * @param query Optional FHIR search query or structured query object. Can be any valid input to the URLSearchParams() constructor.
      * @param options Optional fetch options.
      * @returns Promise to the first search result.
      */
-    searchOne(resourceType, query, options = {}) {
+    searchOne(resourceType, query, options) {
         const url = this.fhirSearchUrl(resourceType, query);
         url.searchParams.set('_count', '1');
         url.searchParams.sort();
@@ -640,14 +648,13 @@ class MedplumClient extends EventTarget {
      * The return value is an array of resources.
      *
      * See FHIR search for full details: https://www.hl7.org/fhir/search.html
-     *
      * @category Search
      * @param resourceType The FHIR resource type.
      * @param query Optional FHIR search query or structured query object. Can be any valid input to the URLSearchParams() constructor.
      * @param options Optional fetch options.
      * @returns Promise to the array of search results.
      */
-    searchResources(resourceType, query, options = {}) {
+    searchResources(resourceType, query, options) {
         const url = this.fhirSearchUrl(resourceType, query);
         const cacheKey = url.toString() + '-searchResources';
         const cached = this.getCacheEntry(cacheKey, options);
@@ -672,14 +679,13 @@ class MedplumClient extends EventTarget {
      *  }
      * }
      * ```
-     *
      * @category Search
      * @param resourceType The FHIR resource type.
      * @param query Optional FHIR search query or structured query object. Can be any valid input to the URLSearchParams() constructor.
      * @param options Optional fetch options.
-     * @returns An async generator, where each result is an array of resources for each page.
+     * @yields An async generator, where each result is an array of resources for each page.
      */
-    async *searchResourcePages(resourceType, query, options = {}) {
+    async *searchResourcePages(resourceType, query, options) {
         let url = this.fhirSearchUrl(resourceType, query);
         while (url) {
             const searchParams = new URL(url).searchParams;
@@ -695,14 +701,13 @@ class MedplumClient extends EventTarget {
     /**
      * Searches a ValueSet resource using the "expand" operation.
      * See: https://www.hl7.org/fhir/operation-valueset-expand.html
-     *
      * @category Search
      * @param system The ValueSet system url.
      * @param filter The search string.
      * @param options Optional fetch options.
      * @returns Promise to expanded ValueSet.
      */
-    searchValueSet(system, filter, options = {}) {
+    searchValueSet(system, filter, options) {
         const url = this.fhirUrl('ValueSet', '$expand');
         url.searchParams.set('url', system);
         url.searchParams.set('filter', filter);
@@ -722,8 +727,7 @@ class MedplumClient extends EventTarget {
     /**
      * Returns a cached resource if it is available.
      * @category Caching
-     * @param resourceType The FHIR resource type.
-     * @param id The FHIR resource ID.
+     * @param reference The FHIR reference.
      * @returns The resource if it is available in the cache; undefined otherwise.
      */
     getCachedReference(reference) {
@@ -751,14 +755,13 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "read" operation for full details: https://www.hl7.org/fhir/http.html#read
-     *
      * @category Read
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
      * @param options Optional fetch options.
      * @returns The resource if available; undefined otherwise.
      */
-    readResource(resourceType, id, options = {}) {
+    readResource(resourceType, id, options) {
         return this.get(this.fhirUrl(resourceType, id), options);
     }
     /**
@@ -775,13 +778,12 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "read" operation for full details: https://www.hl7.org/fhir/http.html#read
-     *
      * @category Read
      * @param reference The FHIR reference object.
      * @param options Optional fetch options.
      * @returns The resource if available; undefined otherwise.
      */
-    readReference(reference, options = {}) {
+    readReference(reference, options) {
         const refString = reference?.reference;
         if (!refString) {
             return new ReadablePromise(Promise.reject(new Error('Missing reference')));
@@ -877,14 +879,13 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "history" operation for full details: https://www.hl7.org/fhir/http.html#history
-     *
      * @category Read
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
      * @param options Optional fetch options.
      * @returns Promise to the resource history.
      */
-    readHistory(resourceType, id, options = {}) {
+    readHistory(resourceType, id, options) {
         return this.get(this.fhirUrl(resourceType, id, '_history'), options);
     }
     /**
@@ -898,7 +899,6 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "vread" operation for full details: https://www.hl7.org/fhir/http.html#vread
-     *
      * @category Read
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
@@ -906,7 +906,7 @@ class MedplumClient extends EventTarget {
      * @param options Optional fetch options.
      * @returns The resource if available; undefined otherwise.
      */
-    readVersion(resourceType, id, vid, options = {}) {
+    readVersion(resourceType, id, vid, options) {
         return this.get(this.fhirUrl(resourceType, id, '_history', vid), options);
     }
     /**
@@ -920,13 +920,12 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "patient-everything" operation for full details: https://hl7.org/fhir/operation-patient-everything.html
-     *
      * @category Read
      * @param id The Patient Id
      * @param options Optional fetch options.
      * @returns A Bundle of all Resources related to the Patient
      */
-    readPatientEverything(id, options = {}) {
+    readPatientEverything(id, options) {
         return this.get(this.fhirUrl('Patient', id, '$everything'), options);
     }
     /**
@@ -948,17 +947,17 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "create" operation for full details: https://www.hl7.org/fhir/http.html#create
-     *
      * @category Create
      * @param resource The FHIR resource to create.
+     * @param options Optional fetch options.
      * @returns The result of the create operation.
      */
-    createResource(resource) {
+    createResource(resource, options) {
         if (!resource.resourceType) {
             throw new Error('Missing resourceType');
         }
         this.invalidateSearches(resource.resourceType);
-        return this.post(this.fhirUrl(resource.resourceType), resource);
+        return this.post(this.fhirUrl(resource.resourceType), resource, undefined, options);
     }
     /**
      * Conditionally create a new FHIR resource only if some equivalent resource does not already exist on the server.
@@ -994,14 +993,15 @@ class MedplumClient extends EventTarget {
      * The query parameter only contains the search parameters (what would be in the URL following the "?").
      *
      * See the FHIR "conditional create" operation for full details: https://www.hl7.org/fhir/http.html#ccreate
-     *
      * @category Create
      * @param resource The FHIR resource to create.
      * @param query The search query for an equivalent resource (should not include resource type or "?").
+     * @param options Optional fetch options.
      * @returns The result of the create operation.
      */
-    async createResourceIfNoneExist(resource, query) {
-        return ((await this.searchOne(resource.resourceType, query)) ?? this.createResource(resource));
+    async createResourceIfNoneExist(resource, query, options) {
+        return ((await this.searchOne(resource.resourceType, query, options)) ??
+            this.createResource(resource, options));
     }
     /**
      * Creates a FHIR `Binary` resource with the provided data content.
@@ -1020,11 +1020,11 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "create" operation for full details: https://www.hl7.org/fhir/http.html#create
-     *
      * @category Create
      * @param data The binary data to upload.
      * @param filename Optional filename for the binary.
      * @param contentType Content type for the binary.
+     * @param onProgress Optional callback for progress events.
      * @returns The result of the create operation.
      */
     createBinary(data, filename, contentType, onProgress) {
@@ -1083,9 +1083,11 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the pdfmake document definition for full details: https://pdfmake.github.io/docs/0.1/document-definition-object/
-     *
      * @category Media
      * @param docDefinition The PDF document definition.
+     * @param filename Optional filename for the PDF binary resource.
+     * @param tableLayouts Optional pdfmake custom table layout.
+     * @param fonts Optional pdfmake custom font dictionary.
      * @returns The result of the create operation.
      */
     async createPdf(docDefinition, filename, tableLayouts, fonts) {
@@ -1099,13 +1101,13 @@ class MedplumClient extends EventTarget {
      * Creates a FHIR `Communication` resource with the provided data content.
      *
      * This is a convenience method to handle commmon cases where a `Communication` resource is created with a `payload`.
-     *
      * @category Create
      * @param resource The FHIR resource to comment on.
      * @param text The text of the comment.
+     * @param options Optional fetch options.
      * @returns The result of the create operation.
      */
-    createComment(resource, text) {
+    createComment(resource, text, options) {
         const profile = this.getProfile();
         let encounter = undefined;
         let subject = undefined;
@@ -1128,7 +1130,7 @@ class MedplumClient extends EventTarget {
             sender: profile ? createReference(profile) : undefined,
             sent: new Date().toISOString(),
             payload: [{ contentString: text }],
-        });
+        }, options);
     }
     /**
      * Updates a FHIR resource.
@@ -1150,12 +1152,12 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "update" operation for full details: https://www.hl7.org/fhir/http.html#update
-     *
      * @category Write
      * @param resource The FHIR resource to update.
+     * @param options Optional fetch options.
      * @returns The result of the update operation.
      */
-    async updateResource(resource) {
+    async updateResource(resource, options) {
         if (!resource.resourceType) {
             throw new Error('Missing resourceType');
         }
@@ -1163,7 +1165,7 @@ class MedplumClient extends EventTarget {
             throw new Error('Missing id');
         }
         this.invalidateSearches(resource.resourceType);
-        let result = await this.put(this.fhirUrl(resource.resourceType, resource.id), resource);
+        let result = await this.put(this.fhirUrl(resource.resourceType, resource.id), resource, undefined, options);
         if (!result) {
             // On 304 not modified, result will be undefined
             // Return the user input instead
@@ -1190,16 +1192,16 @@ class MedplumClient extends EventTarget {
      * See the FHIR "update" operation for full details: https://www.hl7.org/fhir/http.html#patch
      *
      * See the JSONPatch specification for full details: https://tools.ietf.org/html/rfc6902
-     *
      * @category Write
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
      * @param operations The JSONPatch operations.
+     * @param options Optional fetch options.
      * @returns The result of the patch operations.
      */
-    patchResource(resourceType, id, operations) {
+    patchResource(resourceType, id, operations, options) {
         this.invalidateSearches(resourceType);
-        return this.patch(this.fhirUrl(resourceType, id), operations);
+        return this.patch(this.fhirUrl(resourceType, id), operations, options);
     }
     /**
      * Deletes a FHIR resource by resource type and ID.
@@ -1211,16 +1213,16 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "delete" operation for full details: https://www.hl7.org/fhir/http.html#delete
-     *
      * @category Delete
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
+     * @param options Optional fetch options.
      * @returns The result of the delete operation.
      */
-    deleteResource(resourceType, id) {
+    deleteResource(resourceType, id, options) {
         this.deleteCacheEntry(this.fhirUrl(resourceType, id).toString());
         this.invalidateSearches(resourceType);
-        return this.delete(this.fhirUrl(resourceType, id));
+        return this.delete(this.fhirUrl(resourceType, id), options);
     }
     /**
      * Executes the validate operation with the provided resource.
@@ -1235,12 +1237,12 @@ class MedplumClient extends EventTarget {
      * ```
      *
      * See the FHIR "$validate" operation for full details: https://www.hl7.org/fhir/resource-operation-validate.html
-     *
      * @param resource The FHIR resource.
+     * @param options Optional fetch options.
      * @returns The validate operation outcome.
      */
-    validateResource(resource) {
-        return this.post(this.fhirUrl(resource.resourceType, '$validate'), resource);
+    validateResource(resource, options) {
+        return this.post(this.fhirUrl(resource.resourceType, '$validate'), resource, undefined, options);
     }
     /**
      * Executes a bot by ID or Identifier.
@@ -1250,7 +1252,7 @@ class MedplumClient extends EventTarget {
      * @param options Optional fetch options.
      * @returns The Bot return value.
      */
-    executeBot(idOrIdentifier, body, contentType, options = {}) {
+    executeBot(idOrIdentifier, body, contentType, options) {
         let url;
         if (typeof idOrIdentifier === 'string') {
             const id = idOrIdentifier;
@@ -1310,7 +1312,7 @@ class MedplumClient extends EventTarget {
      * @param options Optional fetch options.
      * @returns The FHIR batch/transaction response bundle.
      */
-    executeBatch(bundle, options = {}) {
+    executeBatch(bundle, options) {
         return this.post(this.fhirBaseUrl.slice(0, -1), bundle, undefined, options);
     }
     /**
@@ -1347,11 +1349,12 @@ class MedplumClient extends EventTarget {
      *
      * See options here: https://nodemailer.com/extras/mailcomposer/
      * @category Media
-     * @param options The MailComposer options.
+     * @param email The MailComposer options.
+     * @param options Optional fetch options.
      * @returns Promise to the operation outcome.
      */
-    sendEmail(email) {
-        return this.post('email/v1/send', email, 'application/json');
+    sendEmail(email, options) {
+        return this.post('email/v1/send', email, 'application/json', options);
     }
     /**
      * Executes a GraphQL query.
@@ -1393,7 +1396,6 @@ class MedplumClient extends EventTarget {
      * See the GraphQL documentation for more details: https://graphql.org/learn/
      *
      * See the FHIR GraphQL documentation for FHIR specific details: https://www.hl7.org/fhir/graphql.html
-     *
      * @category Read
      * @param query The GraphQL query.
      * @param operationName Optional GraphQL operation name.
@@ -1408,15 +1410,15 @@ class MedplumClient extends EventTarget {
      *
      * Executes the $graph operation on this resource to fetch a Bundle of resources linked to the target resource
      * according to a graph definition
-  
      * @category Read
      * @param resourceType The FHIR resource type.
      * @param id The resource ID.
      * @param graphName `name` parameter of the GraphDefinition
+     * @param options Optional fetch options.
      * @returns A Bundle
      */
-    readResourceGraph(resourceType, id, graphName) {
-        return this.get(`${this.fhirUrl(resourceType, id)}/$graph?graph=${graphName}`);
+    readResourceGraph(resourceType, id, graphName, options) {
+        return this.get(`${this.fhirUrl(resourceType, id)}/$graph?graph=${graphName}`, options);
     }
     /**
      * @category Authentication
@@ -1426,11 +1428,16 @@ class MedplumClient extends EventTarget {
         return this.storage.getObject('activeLogin');
     }
     /**
+     * Sets the active login.
+     * @param login The new active login state.
      * @category Authentication
      */
     async setActiveLogin(login) {
         this.clearActiveLogin();
         this.accessToken = login.accessToken;
+        if (this.basicAuth) {
+            return;
+        }
         this.refreshToken = login.refreshToken;
         this.storage.setObject('activeLogin', login);
         this.addLogin(login);
@@ -1439,6 +1446,7 @@ class MedplumClient extends EventTarget {
     }
     /**
      * Returns the current access token.
+     * @returns The current access token.
      * @category Authentication
      */
     getAccessToken() {
@@ -1446,15 +1454,17 @@ class MedplumClient extends EventTarget {
     }
     /**
      * Sets the current access token.
+     * @param accessToken The new access token.
      * @category Authentication
      */
     setAccessToken(accessToken) {
         this.accessToken = accessToken;
         this.refreshToken = undefined;
-        this.profile = undefined;
-        this.config = undefined;
+        this.sessionDetails = undefined;
     }
     /**
+     * Returns the list of available logins.
+     * @returns The list of available logins.
      * @category Authentication
      */
     getLogins() {
@@ -1467,31 +1477,73 @@ class MedplumClient extends EventTarget {
     }
     async refreshProfile() {
         this.profilePromise = new Promise((resolve, reject) => {
+            if (this.basicAuth) {
+                return;
+            }
             this.get('auth/me')
                 .then((result) => {
                 this.profilePromise = undefined;
-                this.profile = result.profile;
-                this.config = result.config;
+                this.sessionDetails = result;
                 this.dispatchEvent({ type: 'change' });
-                resolve(this.profile);
+                resolve(result.profile);
             })
                 .catch(reject);
         });
         return this.profilePromise;
     }
     /**
+     * Returns true if the client is waiting for authentication.
+     * @returns True if the client is waiting for authentication.
      * @category Authentication
      */
     isLoading() {
         return !!this.profilePromise;
     }
     /**
+     * Returns true if the current user is authenticated as a super admin.
+     * @returns True if the current user is authenticated as a super admin.
+     * @category Authentication
+     */
+    isSuperAdmin() {
+        return !!this.sessionDetails?.project?.superAdmin;
+    }
+    /**
+     * Returns true if the current user is authenticated as a project admin.
+     * @returns True if the current user is authenticated as a project admin.
+     * @category Authentication
+     */
+    isProjectAdmin() {
+        return !!this.sessionDetails?.membership?.admin;
+    }
+    /**
+     * Returns the current project if available.
+     * @returns The current project if available.
+     * @category User Profile
+     */
+    getProject() {
+        return this.sessionDetails?.project;
+    }
+    /**
+     * Returns the current project membership if available.
+     * @returns The current project membership if available.
+     * @category User Profile
+     */
+    getProjectMembership() {
+        return this.sessionDetails?.membership;
+    }
+    /**
+     * Returns the current user profile resource if available.
+     * This method does not wait for loading promises.
+     * @returns The current user profile resource if available.
      * @category User Profile
      */
     getProfile() {
-        return this.profile;
+        return this.sessionDetails?.profile;
     }
     /**
+     * Returns the current user profile resource if available.
+     * This method waits for loading promises.
+     * @returns The current user profile resource if available.
      * @category User Profile
      */
     async getProfileAsync() {
@@ -1501,16 +1553,26 @@ class MedplumClient extends EventTarget {
         return this.getProfile();
     }
     /**
+     * Returns the current user configuration if available.
+     * @returns The current user configuration if available.
      * @category User Profile
      */
     getUserConfiguration() {
-        return this.config;
+        return this.sessionDetails?.config;
+    }
+    /**
+     * Returns the current user access policy if available.
+     * @returns The current user access policy if available.
+     * @category User Profile
+     */
+    getAccessPolicy() {
+        return this.sessionDetails?.accessPolicy;
     }
     /**
      * Downloads the URL as a blob.
-     *
      * @category Read
      * @param url The URL to request.
+     * @param options Optional fetch request init options.
      * @returns Promise to the response body as a blob.
      */
     async download(url, options = {}) {
@@ -1524,12 +1586,13 @@ class MedplumClient extends EventTarget {
     /**
      * Upload media to the server and create a Media instance for the uploaded content.
      * @param contents The contents of the media file, as a string, Uint8Array, File, or Blob.
-     * @param contentType The media type of the content
-     * @param filename The name of the file to be uploaded, or undefined if not applicable
-     * @param additionalFields  Additional fields for Media
+     * @param contentType The media type of the content.
+     * @param filename The name of the file to be uploaded, or undefined if not applicable.
+     * @param additionalFields Additional fields for Media.
+     * @param options Optional fetch options.
      * @returns Promise that resolves to the created Media
      */
-    async uploadMedia(contents, contentType, filename, additionalFields) {
+    async uploadMedia(contents, contentType, filename, additionalFields, options) {
         const binary = await this.createBinary(contents, filename, contentType);
         return this.createResource({
             ...additionalFields,
@@ -1539,11 +1602,10 @@ class MedplumClient extends EventTarget {
                 url: 'Binary/' + binary.id,
                 title: filename,
             },
-        });
+        }, options);
     }
     /**
      * Performs Bulk Data Export operation request flow. See The FHIR "Bulk Data Export" for full details: https://build.fhir.org/ig/HL7/bulk-data/export.html#bulk-data-export
-     *
      * @param exportLevel Optional export level. Defaults to system level export. 'Group/:id' - Group of Patients, 'Patient' - All Patients.
      * @param resourceTypes A string of comma-delimited FHIR resource types.
      * @param since Resources will be included in the response if their state has changed after the supplied time (e.g. if Resource.meta.lastUpdated is later than the supplied _since time).
@@ -1559,7 +1621,6 @@ class MedplumClient extends EventTarget {
         if (since) {
             url.searchParams.set('_since', since);
         }
-        options.method = exportLevel ? 'GET' : 'POST';
         this.addFetchOptionsDefaults(options);
         const headers = options.headers;
         headers['Prefer'] = 'respond-async';
@@ -1623,10 +1684,10 @@ class MedplumClient extends EventTarget {
     }
     /**
      * Makes an HTTP request.
-     * @param {string} method
-     * @param {string} url
-     * @param {string=} contentType
-     * @param {Object=} body
+     * @param method The HTTP method (GET, POST, etc).
+     * @param url The target URL.
+     * @param options Optional fetch request init options.
+     * @returns The JSON content body if available.
      */
     async request(method, url, options = {}) {
         if (this.refreshPromise) {
@@ -1691,9 +1752,7 @@ class MedplumClient extends EventTarget {
         let resultResponse;
         const retryDelay = 200;
         while (checkStatus) {
-            const fetchOptions = {
-                method: 'GET',
-            };
+            const fetchOptions = {};
             this.addFetchOptionsDefaults(fetchOptions);
             const statusResponse = await this.fetchWithRetry(statusUrl, fetchOptions);
             if (statusResponse.status !== 202) {
@@ -1769,7 +1828,7 @@ class MedplumClient extends EventTarget {
         if (this.accessToken) {
             headers['Authorization'] = 'Bearer ' + this.accessToken;
         }
-        if (this.basicAuth) {
+        else if (this.basicAuth) {
             headers['Authorization'] = 'Basic ' + this.basicAuth;
         }
         if (!options.cache) {
@@ -1813,8 +1872,8 @@ class MedplumClient extends EventTarget {
      * Otherwise, calls unauthenticated callbacks and rejects.
      * @param method The HTTP method of the original request.
      * @param url The URL of the original request.
-     * @param contentType The content type of the original request.
-     * @param body The body of the original request.
+     * @param options Optional fetch request init options.
+     * @returns The result of the retry.
      */
     handleUnauthenticated(method, url, options) {
         if (this.refresh()) {
@@ -1830,6 +1889,7 @@ class MedplumClient extends EventTarget {
      * Starts a new PKCE flow.
      * These PKCE values are stateful, and must survive redirects and page refreshes.
      * @category Authentication
+     * @returns The PKCE code challenge details.
      */
     async startPkce() {
         const pkceState = getRandomString();
@@ -1844,7 +1904,8 @@ class MedplumClient extends EventTarget {
     /**
      * Redirects the user to the login screen for authorization.
      * Clears all auth state including local storage and session storage.
-     * See: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
+     * @param loginParams The authorization login parameters.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
      */
     async requestAuthorization(loginParams) {
         const loginRequest = await this.ensureCodeChallenge(loginParams || {});
@@ -1863,6 +1924,7 @@ class MedplumClient extends EventTarget {
      * See: https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
      * @param code The authorization code received by URL parameter.
      * @param loginParams Optional login parameters.
+     * @returns The user profile resource.
      * @category Authentication
      */
     processCode(code, loginParams) {
@@ -1881,7 +1943,8 @@ class MedplumClient extends EventTarget {
     }
     /**
      * Tries to refresh the auth tokens.
-     * See: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
+     * @returns The refresh promise if available; otherwise undefined.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
      */
     refresh() {
         if (this.refreshPromise) {
@@ -1934,7 +1997,6 @@ class MedplumClient extends EventTarget {
      * // Example Search
      * await medplum.searchResources('Patient')
      * ```
-     *
      * @category Authentication
      * @param clientId The client ID.
      * @param clientSecret The client secret.
@@ -1948,7 +2010,7 @@ class MedplumClient extends EventTarget {
      * Invite a user to a project.
      * @param projectId The project ID.
      * @param body The InviteBody.
-     * @returns Promise that returns an invite result or an operation outcome.
+     * @returns Promise that returns a project membership or an operation outcome.
      */
     async invite(projectId, body) {
         return this.post('admin/projects/' + projectId + '/invite', body);
@@ -1957,17 +2019,29 @@ class MedplumClient extends EventTarget {
      * Makes a POST request to the tokens endpoint.
      * See: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
      * @param formBody Token parameters in URL encoded format.
+     * @returns The user profile resource.
      */
     async fetchTokens(formBody) {
-        const response = await this.fetch(this.tokenUrl, {
+        const options = {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
             body: formBody,
             credentials: 'include',
-        });
+        };
+        const headers = options.headers;
+        if (this.basicAuth) {
+            headers['Authorization'] = `Basic ${this.basicAuth}`;
+        }
+        const response = await this.fetch(this.tokenUrl, options);
         if (!response.ok) {
             this.clearActiveLogin();
-            throw new Error('Failed to fetch tokens');
+            try {
+                const error = await response.json();
+                throw new OperationOutcomeError(badRequest(error.error_description));
+            }
+            catch (err) {
+                throw new OperationOutcomeError(badRequest('Failed to fetch tokens'), err);
+            }
         }
         const tokens = await response.json();
         await this.verifyTokens(tokens);
@@ -1977,7 +2051,8 @@ class MedplumClient extends EventTarget {
      * Verifies the tokens received from the auth server.
      * Validates the JWT against the JWKS.
      * See: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
-     * @param tokens
+     * @param tokens The token response.
+     * @returns Promise to complete.
      */
     async verifyTokens(tokens) {
         const token = tokens.access_token;
@@ -1988,7 +2063,14 @@ class MedplumClient extends EventTarget {
             throw new Error('Token expired');
         }
         // Verify app_client_id
-        if (this.clientId && tokenPayload.client_id !== this.clientId) {
+        // external tokenPayload
+        if (tokenPayload.cid) {
+            if (tokenPayload.cid !== this.clientId) {
+                this.clearActiveLogin();
+                throw new Error('Token was not issued for this audience');
+            }
+        }
+        else if (this.clientId && tokenPayload.client_id !== this.clientId) {
             this.clearActiveLogin();
             throw new Error('Token was not issued for this audience');
         }
@@ -2042,6 +2124,7 @@ function getDefaultFetch() {
 }
 /**
  * Returns the base URL for the current page.
+ * @returns The window origin string.
  * @category HTTP
  */
 function getWindowOrigin() {