Hi!

I'm struggling to wrap my head around requesting a token scoped to a single Patient in a member-directed (i.e. not member-mediated) payer-to-payer exchange. Please refer to:

• 5.2.1 Member Match with Consent
  • Member Connection
    • Step 3: Request Access Token for Member Access
      • 16 Use OAuth 2.0 token endpoint to request access using MemberMatch ID

The MemberMatch ID is an identifier; the MemberIdentifier output parameter for $member-match.

In chat.fhir.org, I asked (direct link):

• What is this request meant to look like?
• Which parameter and/or scope is used to communicate the MemberMatch ID to the OAuth 2.0 token endpoint?

Apparently, clients are to:

• use the same client credentials (client ID, client secret) obtained in Step 1b with an additional member_id parameter in the request body.

This member_id parameter doesn't appear to be documented anywhere.

Questions:

1. Is this correct?
   1. If so, what should the value of the member_id parameter look like? e.g. system|value
2. Is this documented somewhere?
   1. If not, how are clients/servers expected to know about it?
3. Is this a client credentials grant?

Changes Requested:

Please provide additional detail and clarity regarding access requests using the MemberMatch ID in the PDex IG (or via reference).

Please provide an example if possible.

Thank you!