I have a patient-facing SMART on FHIR app registered on Epic on FHIR (App ID 55838, Nutrilog 4visionCare). Both apps are Production Ready with 513 downloads and USCDI v1 auto-distribution enabled.
The problem: Every production client ID I create returns HTTP 200 OAuth2 Error from the authorize endpoint. The non-production client ID returns HTTP 302 correctly. Tested against 5+ health systems including BILH, AdventHealth, Advocate Aurora, Mass General Brigham, and the Epic sandbox. All production IDs fail against all endpoints.
Curl proof:
Non-production ee70448e → HTTP 302 ✅
Production c05fa09c → HTTP 200 OAuth2 Error ❌
Production cd04ae81 (second app, ID 56015) → HTTP 200 OAuth2 Error ❌
What I have ruled out:
The pattern is unambiguous: Non-production client IDs work. Production client IDs do not work. This affects every production client ID under my developer account regardless of app configuration.
Has anyone seen this? Is there a developer account level activation step required for production client IDs that I am missing?