I recommend we follow whichever guidelines FAST publishes. Their Security tiger team has expertise in this area.

Existing Wording:

Note To Balloters
The DaVinci project is actively seeking input on security approaches and expectations for authentication and authorization between Senders and Receivers of sensitive patient data (e.g., will TLS, mutual-TLS, OAuth, etc. be required to interoperate?). There are several implementation guides and ongoing initiatives to address these issues including:
•FHIR Data Segmentation for Privacy project
•SMART Application Launch Framework Implementation Guide Release 1.0.0
•FHIR Bulk Data Access (Flat FHIR) (specifically: SMART Backend Services: Authorization Guide)
•FHIR at Scale Taskforce (FAST)
•Dynamic Registration for SMART Apps

Once an approach has been agreed upon, it will be documented in the the Da Vinci Health Record Exchange (HRex) Implementation Guide.