Why UDAP Certificates are Important for Participation in the FHIR Ecosystem

A UDAP certificate is used to express verified attributes about a client application or FHIR server operator. After obtaining a UDAP certificate via manual registration, EMR Direct and other relying parties can validate that your certificate is trusted, thus integrating you into the EMR Direct FHIR ecosystem. With a UDAP certificate, your app's or server's attributes become automatically discoverable by FHIR servers where the app has not yet been registered or by clients attempting to access your server. This saves client apps from having to obtain a different client_id for every different registration server, reducing the number of platforms where the app needs to be approved, and allows trusted clients and servers to be recognized as such, bringing confidence and scalability to FHIR transactions.

The UDAP certificate can be used in registering at new FHIR servers' registration endpoints, signing token requests for those FHIR servers’ authorization endpoints, and to validate FHIR server identity. A certificate-signed software statement is used to request a client_id and client assertion JWT is used to request an access token at an authorization endpoint.

In essence, a UDAP certificate is a critical part of a FHIR endpoint's digital identity which allows the app to sign JWTs needed to successfully interact with FHIR resources or for counter parties to validate the identity of a FHIR resource. Thus, obtaining a UDAP certificate is an important way to seamlessly participate in the FHIR ecosystem. A UDAP certificate can be reused in the context of any EMR system leveraging EMR Direct's FHIR services or other FHIR servers and their client apps that may also elect to rely on UDAP certificates.

However, it is also possible to register an app anonymously through Dynamic Client Registration without obtaining a UDAP certificate by just submitting the basic information required to get a client_id (see Requirements for Client Registration for more information on specific data elements required). Such an anonymous registration is sufficient for apps intending to use authorization code flow with existing patient credentials for patient access to data.


Did this article answer your question? If not, please contact us.