Client applications and systems of record MAY support  UDAP Dynamic Client Registration  for the registration of a client application with a system of record. If supported, systems of records MUST include their registration endpoint URI in their discoverable OAuth metadata. If supported, client applications that have not previously obtained a client_id from a system of record SHOULD attempt registration with the system of record using this profile. If supported, client applications that can protect private cryptographic keys and all systems of record SHOULD support ( UDAP JWT-Based Client Authentication ) for the authentication of client applications using asymmetric cryptography. If supported, client applications SHALL specify a token_endpoint_auth_method of "private_key_jwt" or "client_secret_basic" in their submitted software statement. The "private_key_jwt" value is used for clients intending to authenticate using asymmetric cryptography as per the UDAP JWT-Basic Client Authentication profile. If supported, client applications that cannot protect private cryptographic keys MUST use the "client_secret_basic" value. Conforming client applications and systems of record MAY support the  UDAP Tiered OAuth for User Authentication  profile to enable reusable user credentials for end users. Additional constraints on the SMART and UDAP profiles listed above for the CARIN Blue Button IG use case can be found at < https://docs.google.com/document/d/1HgOlUWMEsZHBChuP4DACRka4ap2S8UwSTkAz4oY6bCo/edit >.