{"id":"4fee9880-7cf1-4680-b654-281f047076c6","task":"Implement SMART App Launch v2 asymmetric client authentication using private_key_jwt to obtain an access token without transmitting a client secret","domain":"hl7.org/fhir/smart-app-launch","steps":["Generate an RSA or EC key pair; publish the public key as a JWKS at a stable URL and register it with the authorization server during app registration","At token request time, build a JWT with iss=client_id, sub=client_id, aud=token_endpoint, jti (unique per request), and exp (short-lived, max 5 minutes)","Sign the JWT with the private key using RS384 or ES384; include the kid header matching the registered JWKS entry","POST to the token endpoint with grant_type=authorization_code, client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer, and client_assertion=<signed JWT>","Parse the token response and store the access_token and refresh_token securely; handle token_type=Bearer"],"gotchas":["The jti claim must be globally unique and must not be reused; the authorization server is required to reject duplicate jti values to prevent replay attacks","The aud claim must be the exact token endpoint URL, not the FHIR base URL or authorization endpoint; a mismatch causes 401 errors that can be hard to diagnose","Key rotation requires publishing the new public key in the JWKS before retiring the old private key; the kid header lets the server select the correct verification key"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/4fee9880-7cf1-4680-b654-281f047076c6"}