{"id":"6438bda5-735c-421b-aa20-d82bd6836393","task":"Issue and verify SMART Health Cards and SMART Health Links for patient credential sharing","domain":"hl7.org","steps":["To issue a SMART Health Card: package the patient's FHIR data (e.g., immunization Bundle) as a minimized FHIR Bundle (no server URLs, no narrative), compress it with DEFLATE, then sign it as a JWS compact serialization using an ES256 (ECDSA P-256) private key; the resulting JWS string is the SMART Health Card","Publish the issuer's public key at a JWKS endpoint at <issuer>/.well-known/jwks.json; the kid in the JWS header must match a key in the JWKS; verifiers will fetch this endpoint to validate signatures","To distribute as a file, wrap the JWS string(s) in a JSON object with a 'verifiableCredential' array and save as a .smart-health-card file (MIME type: application/smart-health-card); for QR distribution, split the JWS into chunks and encode each as a numeric QR code","To issue a SMART Health Link (SHL): generate a random encryption key, encrypt the payload (FHIR Bundle or .smart-health-card file) with AES-256-GCM, store it at a manifest URL, then encode the SHL URL as shlink:/<base64url-payload> for sharing via QR or hyperlink","To verify a SMART Health Card: decode the JWS, fetch the issuer's JWKS, validate the ES256 signature, check the 'exp' claim if present, and parse the vc.credentialSubject.fhirBundle to extract the clinical data","For SMART Health Links verification: parse the SHL URL to extract the manifest URL and decryption key, GET the manifest with the SHL-recipient header, then decrypt and decompress each payload file to obtain the FHIR data"],"gotchas":["SMART Health Cards require DEFLATE compression of the FHIR Bundle payload before JWS signing — implementers who sign uncompressed JSON will produce non-verifiable cards that fail standard verifier apps","SMART Health Links are distinct from SMART Health Cards: SHLs can carry dynamic or large payloads (multiple files, expiry, access count limits) via an encrypted manifest, whereas Health Cards are static single-JWS credentials; do not conflate the two formats","The issuer key must use the P-256 curve (ES256) — RSA or other EC curves are not supported by the SMART Health Cards spec; key rotation must maintain old public keys in the JWKS until all previously issued cards have expired or been superseded"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/6438bda5-735c-421b-aa20-d82bd6836393"}