In the context of exchanging medical information, every component involved is required to keep a record of its actions. This process is called logging. The logging of actions follows two standards: NEN7513 and IHE ATNA profile.
If a component is an Audit Record Repository (server), it must support all transactions. On the other hand, if a component sends logging (client), it can choose any transaction it wants to use.
IHE ITI-20 | Record Audit Event
Both the NEN7513:2024 standard and the IHE ATNA profile only cover the logging of an access/data exchange events. The fact that, in an OAuth implementation, access tokens are first requested, issued, and possibly revoked is not explicitly addressed in these logging standards and profiles. Therefore, there does not appear to be any mandatory requirement to log such events. As a result, this may create a challenge later on when setting up monitoring and alerting for abuse patterns or unauthorized use.