Since the subscriptions redesign began, there has been several open questions about authorization. One of the questions has been how to include authorization information alongside notifications themselves.

Building on the work done for TA Notified Pull, discussions at several WGMs, and many smaller discussions, I believe we have consensus to add a basic mechanism that can be built on. Specifically, a pair of coded information and a value that can be tied to events.

I propose adding a new complex extension http://hl7.org/fhir/StructureDefinition/authorization-hint, which contains two parts: a required Coding named type and an optional string named value. For example:

"extension": [{
    "url": "http://hl7.org/fhir/StructureDefinition/authorization-hint"
    "extension": [
        {
            "url": "type",
            "valueCoding": {
                "system": "http://fhir.nl/fhir/NamingSystem/TaskParameter",
                "code": "authorization-base",
                "display": "NL OAuth request token"
            }
        },
        {
            "url": "value",
            "valueString": "ZGFhNDFjY2MtZGFmMi00YjZkLThiNDYtN2JlZDk1MWEyYzk2"
        }
    ]
}]

If the extension is added to the backport IG, I recommend scoping to SubscriptionStatus.notificationEvent. If this feels generically useful and would be better to add to core extensions, I would advocate for additional scoping of: Endpoint, reference(Endpoint), and Organization.