{"id":"ba833960-c673-4ae4-9721-ba6fd7b850c7","task":"Use the UDAP security framework for B2B FHIR access to dynamically register a client application with a health system's UDAP-enabled authorization server","domain":"hl7.org/fhir/us/udap-security","steps":["Fetch the server's UDAP metadata from .well-known/udap on the FHIR base URL to discover udap_versions_supported, registration_endpoint, and grant_types_supported","Build a signed software statement JWT containing client_name, redirect_uris, grant_types, scope, and iss equal to the client's UDAP subject alternative name (SAN) from its X.509 certificate","Sign the software statement with the client's private key; include the full X.509 certificate chain in the x5c header","POST to the registration_endpoint with the software statement; receive a client_id in the response — store it for subsequent token requests","Use the registered client_id with a signed client_assertion JWT to authenticate at the token endpoint in subsequent access token requests"],"gotchas":["The UDAP X.509 certificate must chain to a trust community root that the authorization server explicitly trusts; a self-signed certificate or an untrusted CA causes immediate registration rejection","The subject alternative name (SAN) URI in the X.509 certificate must match the iss claim in the software statement exactly — case and trailing slash differences cause validation failures","UDAP dynamic registration creates a new client registration each time unless the server supports re-registration via the same certificate SAN; check the server's udap_registration_lifetime to understand renewal behavior"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/ba833960-c673-4ae4-9721-ba6fd7b850c7"}