As the FHIR ecosystem grows and the number of deployed servers and clients multiplies, several aspects of the registration, authentication, and authorization processes that occur before the exchange of FHIR resources can take place have been identified as potential bottlenecks. To facilitate the effective scaling of the ecosystem, automated approaches for application registration and more robust mechanisms to reliably identify participants and manage credentials are needed. For larger ecosystems with numerous requestors and responders, a distributed system of authoritative information can be leveraged using digital certificates to enable a scalable dynamic solution for client (i.e., FHIR client / requestor) registration. The registration problem alone is exemplified by statistics shared from a scenario analysis that considered manual registration of 60 current BlueButton API clients across 907 US Health Plans. Extrapolating from the CMS experience, the time required by human facilitated administrative activities at the Health Plans to register 60 applications (e.g., review meetings, actual generation & sharing of API credentials with app developer, etc.) was estimated at 73 person-years (Seib A & Scrimshire M, “Making it easier for Patients and Data Holders”, EHNAC AHIP Webinar, 2020). This estimate only addresses one type of registration interaction (payer/consumer), with additional registration effort required for all provider/consumer, provider/provider, provider/payer, and payer/payer pairings. The Healthcare dollars expended in non-value, manual related client registration activities can be recaptured many times over as this solution is adopted across the FHIR API ecosystem nationwide. The ONC FHIR at Scale Taskforce’s Security Tiger Team was formed in late 2018 to investigate these issues and identify potential solutions. The Tiger Team identified the Unified Data Access Profiles (UDAP) for Dynamic client registration, client authentication, client authorization, and Tiered OAuth as building blocks to be used by implementers to address the issues above and enhance the overall scalability of the FHIR ecosystem, a recommendation that has received positive feedback from numerous cybersecurity subject matter experts. The aim of this project is to expand upon the existing work by UDAP.org within the HL7 consensus process to produce a more complete set of implementation guides targeted at implementers of both client and server systems using FHIR for data exchange, standardizing how implementers integrate the UDAP profiles identified by the FAST Security Tiger Team into existing OAuth 2.0 and OpenID Connect workflows. Among other things, the deliverables of this project would provide the FHIR community with detailed instructions to implement the following: - integration of existing public key infrastructure mechanisms with registration, authentication, and authorization processes to establish robust trust networks with reusable credentials to identify actors - trusted dynamic client registration - client app submissions of self-assertions, third party certifications, or other endorsements to servers, and vice-versa - client app assertions of additional information for a given session so that resource holders can more finely scope access tokens, including information related to consent or purpose of use - increase security and assurance in identity of all actors by using asymmetric cryptographic methods for authentication, including specific protocols to support network-wide revocation of credentials - dynamic federation of user credentials to facilitate reuse of credentials and single sign-on