Persona Help Center
Overview
The Trusted Exchange Framework and Common Agreement (TEFCA) is a nationwide framework for secure health information sharing in the Unites States. Persona functions as a Kantara-certified Credential Service Provider (CSP) for TEFCA Individual Access Service (IAS) providers. As the CSP, Persona performs NIST IAL2 identity proofing for patients and issues an ID Token to the IAS provider containing verified demographics. IAS Providers use the Persona-issued ID Token in TEFCA exchange requests.
This guide outlines Persona’s IAS Provider integration for TEFCA.
OIDC Configuration
Persona’s IAS integration uses the OpenID Connect (OIDC) authorization code flow. To configure this in Persona, see this guide.
OIDC Flow
At a high level, your OIDC integration will look like the following:
- Patient accesses your application.
- Your application redirects the patient to Persona for IAL2 identity proofing.
- Patient completes identity proofing and is redirected from Persona back to your application.
- Persona issues the ID Token and exchanges it with your application.
- Your application can use the ID Token in requests to the TEFCA network.
OIDC ID Token
After a patient successfully completes IAL2 identity proofing through a Persona inquiry, Persona generates a JWT-format OIDC ID Token signed by Persona's private key. The token is returned to the IAS Provider (Relying Party) through the standard OIDC authorization code flow — the patient is redirected back to your configured redirect_uri, and your application exchanges the authorization code for the ID Token (and refresh token) at Persona's OIDC token endpoint.
Persona’s ID tokens are formatted in accordance with the TEFCA IAS SOP issued by the Sequoia Project (RCE).
Healthcare Common Identifier (HCID)
As the IAS Provider, you will need to supply your Healthcare Common Identifier (HCID) formatted as a URN per RFC 3001.
urn:oid:<hcid>
For example: urn:oid:1.2.3.4.5.6.7.8.9.10
The HCID audience value is configured on your Authentication Template in the Persona Dashboard. Note this control is only available if your Persona account is configured for TEFCA IAS Services. Contact Persona support if you do not have access. Persona automatically includes the configured value in the aud array of every ID Token issued from that template.
The aud array contains both your OIDC client ID and the audience URI:
"aud": [
"env_<environment_id>.atoc_<auth_template_id>",
"urn:oid:<hcid>"
]
Persona's OID
An Object Identifier (OID) is a globally unique, hierarchical identifier used to unambiguously identify organizations and systems across networks. OIDs are used in TEFCA to anchor a CSP's identity within the trust chain.
Persona's TEFCA CSP OID: 1.3.6.1.4.1.65312.2.10
If you are integrating with CommonWell, you may need to list Persona’s OID in your CommonWell dashboard.
Token Validation
ID Tokens are Base64URL-encoded and digitally signed by Persona. The cryptographic signature proves authenticity and makes tokens tamper-evident.
To validate a Persona-issued ID Token:
-
Fetch the OIDC discovery document from the following endpoint depending on the environment from which the ID token was generated:
Sandbox
https://authenticate.withpersona.com/authenticate/oidc-sandbox/.well-known/openid-configuration
Production
https://authenticate.withpersona.com/authenticate/oidc/.well-known/openid-configuration
-
Use the
jwks_urifrom the discovery document to retrieve Persona's public key set (JWKS). -
Verify the token signature against the public key that matches the
kidheader in the JWT. -
Confirm the
issmatches based upon environment:Sandbox
https://authenticate.withpersona.com/authenticate/oidc-sandbox
Production
https://authenticate.withpersona.com/authenticate/oidc
-
Confirm the
audcontains your organization's HCID URI. -
Confirm
expis in the future andnbfis in the past.
Tokens must be transmitted and stored securely. Per the TEFCA spec, data must be encrypted in transit (HTTPS/TLS) and at rest.
Refresh Tokens
Persona issues a refresh token alongside the ID Token. The refresh token can be used to generate a new ID Token without requiring the patient to complete a new inquiry.
| Property | Details |
|---|---|
| Token lifetime | Configurable to a max of 90 days |
| Configuration | Set in the Authentication Template in the Persona Dashboard |
| After expiry | The patient must complete a new IAL2 inquiry to receive a new ID Token |
The 90-day window reflects the period during which a patient's verified identity can be considered current for the purposes of requesting medical records. See the section on Persona Wallet for more information on the re-verification experience for patients.
ID Token Claims
Standard Claims
These claims are included in all ID Tokens Persona issues, regardless of what demographics were collected and verified.
| Claim | Description |
|---|---|
iss |
Token issuer https://authenticate.withpersona.com/authenticate/oidc or https://authenticate.withpersona.com/authenticate/oidc-sandbox |
sub |
Subject. The Persona Account token associated with the patient (act_…) |
aud |
Array containing the client ID and the IAS Provider's HCID URI (urn:oid:<hcid>) |
exp |
Expiration timestamp. Persona ID Tokens are valid for 1 hour from issuance |
iat |
Issued-at timestamp |
auth_time |
Timestamp of inquiry completion |
nbf |
Not-Before timestamp. The earliest time the token is valid |
jti |
Unique serial number for this token |
nonce |
Random value provided by the client, echoed back to prevent token replay |
azp |
Authorized Party. The client ID the token was issued to |
inquiry_id |
The Persona Inquiry token (inq_…) associated with this authentication |
Demographic Claims
Demographic claims are included based on what was successfully verified during the IAL2 inquiry.
Claims required by the TEFCA IAS SOP (must be included or set to "Unknown"):
| Claim | Notes |
|---|---|
given_name |
|
family_name |
|
nickname |
Always returned as "Unknown". Persona does not verify nicknames |
birthdate |
(ISO 8601 format: YYYY-MM-DD) |
address |
Claims required if known per TEFCA IAS SOP:
| Claim | Notes |
|---|---|
historical_address |
Persona can return an array of addresses associated to the patient. The inclusion of historical addresses in the ID Token can significantly improve patient match rates. Contact your Persona account team if you are interested in supporting this claim for your patients. |
middle_name |
|
middle_initial |
|
suffix |
Not currently supported. |
email |
|
email_verified |
true if patient completed email verification |
phone_number |
|
phone_number_verified |
true if patient completed phone verification |
SSN |
|
SSN_Last_four_digits |
|
ZIP+4 |
|
gender |
Contact Persona if interested in this claim. |
Sample ID Token
Below is a sample TEFCA ID Token payload generated by Persona. All values are illustrative.
{
"iss": "https://authenticate.withpersona.com/authenticate/oidc",
"sub": "act_qDoDyLcWjKD5e8R5kCmK9vUtcUpv",
"aud": [
"env_DWP98JkccwwbLPUnzMrx7831.atoc_AWiTtq6zT9TsGU8a6x6rY6qp7n6jXY",
"urn:oid:9.99.9.99.99.9.99.99.99.9.9.99.99999.9"
],
"exp": 1768902173,
"iat": 1768898573,
"auth_time": 1768898571,
"nbf": 1768898573,
"jti": "0ef0850f-eef9-4cf7-b42d-dxd499523607",
"nonce": "a972942b-015a-41e8-b138-8ce13bba5b1b",
"azp": "env_DWP98JkccwwbLPUnzMrx7831.atoc_AWiTtq6zT9TsGU8a6x6rY6qp7n6jXY",
"inquiry_id": "inq_AWiTtq6SoiDHGrX6i2WpTf9WF4UKL8",
"given_name": "Camila",
"family_name": "Lopez",
"middle_name": "Maria",
"nickname": "Unknown",
"birthdate": "1987-09-12",
"address": {
"formatted": "3268 West Johnson St. Apt 117, Garland, TX 75043, US",
"street_address": "3268 West Johnson St. Apt 117",
"locality": "Garland",
"region": "TX",
"postal_code": "75043",
"country": "US"
},
"SSN": "123-45-6789"
"SSN_Last_four_digits": "6789",
"phone_number": "+14694694321",
"phone_number_verified": true,
"email": "knixontestemail@epic.com",
"email_verified": true
}
Flow Configuration Guidance
Persona has an IAL2 inquiry flow optimized for patient matching on the TEFCA network. There are a number of pathways by which an individual can verify their identity. Multiple evidence combinations that satisfy NIST IAL2 assurance are supported including but not limited to: REAL ID, passport NFC, DMV, and selfie verifications. The flow dynamically routes patients through the most appropriate pathway based on the documents they present.
Native Mobile Experience
TEFCA flows are configured to require the native mobile experience. Completion of the flow on web is not recommended because:
- Barcode capture is significantly more difficult with webcams.
- NFC chip reading is only available on mobile devices.
Persona Wallet
The Persona Wallet (Reusable Personas) can significantly improve the patient re-verification experience. Upon completion of an inquiry, patients will be prompted to store their government ID in their Persona Wallet; this is completely optional. Upon returning to subsequent inquiries, if a patient has stored their government ID with Persona Wallet, they can use their saved credentials to expedite the document verification steps.
Unique Patient Identifier
Accounts in Persona represent a single identity, consolidating all of an individual's verification interactions and attempts over time. Using a consistent identifier allows Persona to link each inquiry to the same account and enables many fraud detection capabilities.
When integrating with Persona, associate an immutable unique identifier per patient as the login_hint in your authentication request. We map the value from the login_hint to the account reference_id in Persona and consolidate all inquiries to this same account.
Testing & Synthetic Patient Guide
Persona provides a sandbox environment for testing your TEFCA integration end-to-end before going live.
Sandbox Environment
You can use your sandbox environment to test your integration and the patient experience. Sandbox inquiries do not perform live data verification and allow for the simulation of passed or failed verifications.
Synthetic Test Patients
Qualified Health Information Networks (QHINs) have synthetic test patient data to facilitate testing IAS Provider to QHIN integrations. Persona supports the synthetic identities contained below.
To use the synthetic identities, create an inquiry in your sandbox environment. Enter either the phone number or email address of a synthetic patient in the inquiry. Ensure that the Pass verifications toggle is enabled and submit any phone or email confirmation code. Persona will update the inquiry and the account with the synthetic patient’s demographics and issue an ID Token with the corresponding demographics.
| Name | Phone | DOB | Address | |
|---|---|---|---|---|
| Allison Hackett | 608-555-1243 | ahackett@gmail.com | 01/15/1987 | 1325 Main St, Madison, WI, US 57303 |
| Damon Mychart | 608-211-3314 | dmychart@gmail.com | 07/26/1979 | 308 Oak St, Madison, WI, US 53711 |
| Dog Beaker | 410-707-2690 | dogbeaker@aol.com | 11/24/1985 | 124 Lake Street, Vernon, CT, US 06066 |
| Barbara Testa | 831-600-3769 | btesta@hotmail.com | 05/24/1947 | 8855 Orchid Blvd, Reading, PA, US 19602 |
| Tracy CraneTest | 222-360-1564 | tcranetest@gmail.com | 12/26/1936 | 458 Streich Street Lunenburg, MA, US 01462 |
| Camila Maria Lopez | 469-469-4321 | knixontestemail@epic.com | 09/12/1987 | 3268 West Johnson St. Apt 117 Garland, TX, US 75043 |
| Derrick Lin | 785-785-4321 | knixontestemail2@epic.com | 06/3/1973 | 7324 Roosevelt Ave Indianapolis, IN, US 46201 |
| Homer J Simpson | 217-123-3608 | hsimpson@gmail.com | 02/9/1975 | 742 Evergreen Terrace Madison, WI, US 53711 |
| Margaret Smith | 706-123-4567 | msmith60@gmail.com | 01/02/1960 | 123 Peachtree Road Augusta, GA, US 30909 |
| Ellen Doe | 401-555-1940 | ellen.doe4321@gmail.com | 03/07/1940 | 110 Westminster St Providence, RI, US 02903 |