Production client ID returns HTTP 200 OAuth2 Error — non-production ID returns HTTP 302 — same request
Wilbert Jackson
I have a patient-facing SMART on FHIR app registered on Epic on FHIR (App ID 55838, Nutrilog 4visionCare). Both apps are Production Ready with 513 downloads and USCDI v1 auto-distribution enabled.
The problem: Every production client ID I create returns HTTP 200 OAuth2 Error from the authorize endpoint. The non-production client ID returns HTTP 302 correctly. Tested against 5+ health systems including BILH, AdventHealth, Advocate Aurora, Mass General Brigham, and the Epic sandbox. All production IDs fail against all endpoints.
Curl proof:
Non-production ee70448e → HTTP 302 ✅
Production c05fa09c → HTTP 200 OAuth2 Error ❌
Production cd04ae81 (second app, ID 56015) → HTTP 200 OAuth2 Error ❌
What I have ruled out:
- App configuration — two separate apps both fail
- Scope issues — tested with minimal scopes
- aud parameter — tested against 5 health systems and sandbox
- Redirect URI — exact match confirmed
- Browser cache — confirmed via curl from server command line
- Client sync delay — issue persists 48+ hours after Production Ready
The pattern is unambiguous: Non-production client IDs work. Production client IDs do not work. This affects every production client ID under my developer account regardless of app configuration.
Has anyone seen this? Is there a developer account level activation step required for production client IDs that I am missing?