{"id":"8bb36b63-afb6-41c8-be25-a30a830298c9","task":"Implement SMART App Launch v2 token introspection to validate an access token issued by an authorization server and extract the scopes and patient context at a resource server","domain":"hl7.org/fhir/smart-app-launch","steps":["Discover the introspection_endpoint from .well-known/smart-configuration on the authorization server","POST to the introspection endpoint with token=<access_token> using HTTP Basic auth or client_assertion authentication as required by the server","Check the active field in the JSON response; if false, reject the incoming request with 401","Extract scope, patient, fhirUser, and exp fields from the introspection response and enforce scope-based access control on the resource being requested","Cache introspection results keyed by token hash for the duration of the token's remaining lifetime to reduce repeated introspection calls"],"gotchas":["Not all SMART authorization servers expose an introspection endpoint; fall back to JWT signature verification if introspection is unavailable","The patient field in the introspection response is a FHIR Patient logical ID, not a patient identifier — use it directly in FHIR queries without additional patient lookup","Caching introspection results must account for early token revocation; set a short maximum cache TTL (e.g., 30 seconds) even if the token has a longer expiry"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/8bb36b63-afb6-41c8-be25-a30a830298c9"}