Use the UDAP security framework for B2B FHIR access to dynamically register a client application with a health system's UDAP-enabled authorization server
Fetch the server's UDAP metadata from .well-known/udap on the FHIR base URL to discover udap_versions_supported, registration_endpoint, and grant_types_supported
Build a signed software statement JWT containing client_name, redirect_uris, grant_types, scope, and iss equal to the client's UDAP subject alternative name (SAN) from its X.509 certificate
Sign the software statement with the client's private key; include the full X.509 certificate chain in the x5c header
POST to the registration_endpoint with the software statement; receive a client_id in the response — store it for subsequent token requests
Use the registered client_id with a signed client_assertion JWT to authenticate at the token endpoint in subsequent access token requests
Known gotchas
The UDAP X.509 certificate must chain to a trust community root that the authorization server explicitly trusts; a self-signed certificate or an untrusted CA causes immediate registration rejection
The subject alternative name (SAN) URI in the X.509 certificate must match the iss claim in the software statement exactly — case and trailing slash differences cause validation failures
UDAP dynamic registration creates a new client registration each time unless the server supports re-registration via the same certificate SAN; check the server's udap_registration_lifetime to understand renewal behavior
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp