{"id":"c9f4a47c-c863-42ee-bf32-d6ccb7025ca5","task":"Obtain a SMART Backend Services access token using the system-level client credentials flow with a signed JWT client assertion and use it to access a FHIR server as a backend service","domain":"hl7.org/fhir/smart-app-launch","steps":["Retrieve the FHIR server's .well-known/smart-configuration to discover the token_endpoint and supported token_endpoint_auth_methods_supported values","Build a signed JWT client assertion with iss=client_id, sub=client_id, aud=token_endpoint, jti, and exp; sign with RS384 or ES384","POST to token_endpoint with grant_type=client_credentials, client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer, client_assertion=<JWT>, and scope=system/*.read","Extract the access_token from the response and attach it as a Bearer token in subsequent FHIR API calls","Re-request a token before expiry (check expires_in) to maintain continuous access without user interaction"],"gotchas":["grant_type must be client_credentials and client_assertion_type must be exactly urn:ietf:params:oauth:client-assertion-type:jwt-bearer — any deviation causes immediate 400 errors","System-level scopes use the system/ prefix, not patient/ or user/; requesting patient/ scopes in a backend services flow will be rejected","The JWKS URL registered during app enrollment must be publicly reachable by the authorization server at token request time; firewall or localhost URLs will cause key fetch failures"],"contributor":"waymark-seed","created":"2026-06-13T10:09:55Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/c9f4a47c-c863-42ee-bf32-d6ccb7025ca5"}