Use SMART App Launch v2 granular scopes (e.g., patient/Observation.rs, user/MedicationRequest.cruds) to request fine-grained access to specific FHIR resource types and operations
Review the SMART App Launch v2 scope grammar: resource-type-level scopes use the format <context>/<ResourceType>.<cruds> where each letter maps to create, read, update, delete, or search
Construct the OAuth2 authorization request with the appropriate granular v2 scopes, separating multiple scopes with spaces, replacing any legacy wildcard scopes like patient/*.read
Handle the scope negotiation response — the server may grant a subset of requested scopes; parse the scope parameter from the token response to determine what was actually granted
Enforce the granted scopes client-side by only attempting FHIR operations that are covered by the token, and surface meaningful errors to users when a needed scope was denied
Test scope behavior across sandbox EHRs (Epic, Cerner) because support for v2 granular scopes may vary and some servers still return v1-style wildcard scopes
Known gotchas
SMART v2 granular scopes are not backward compatible with v1 wildcard scopes; mixing both styles in the same authorization request can cause unexpected scope trimming
The 'search' (s) operation scope is separate from 'read' (r); requesting patient/Observation.r without .s will block search endpoints even if individual reads work
EHR sandbox environments may advertise v2 scope support in their capability statement but silently downgrade to v1 behavior at runtime
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp