Skip to main content

Developer sandbox

Outlined below are steps to try our API using the developer sandbox and retrieve member data for sample Patient ID.

Step 1: Generate an Authorization Code

To test out the Blue Cross and Blue Shield of North Carolina (Blue Cross NC) API, you must first generate an authorization code and a sample token that represents a member granting consent.

Below are few details you will need for generating the code:

Client ID: AJMP7iHHEfegyn2PMzTj

Client Secret: OHBJ8Pl9I2ilDZ5gRY74

RedirectURL: https://oidcdebugger.com/debug

Scope:

clinical openID FHIRUser

1. Invoke the “Authorization Code” request from a browser using below syntax:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize?response_type=code&client_id=AJMP7iHHEfegyn2PMzTj&redirect_uri=https://oidcdebugger.com/debug&scope=openid%20read%20profile%20clinical&state=test123

2. You will be redirected to a disclaimer page. Review and click "I Understand" if you wish to proceed.

Example of disclaimer page you must review

3. You will be redirected to a Blue Cross NC login screen. Log in with one of the synthetic beneficiary accounts.

Example of Blue Cross NC login screen

4. Synthetic Beneficiary Accounts

The following test user accounts can be used for authentication and authorization: 

SubscriberIDMemberCodeFirstNameLastNameDOBZipcode
YPPJ1269564601BCNCFIRSTTHREEBCNCLASTTHREE06/06/194427030

5. After successful member authentication, you are presented with a screen to indicate if you are accessing data for “Self” or as a “Personal Representative.”

Example of personal representation screen

6. You are redirected to the “Authorization / Consent page.”

  • If Personal Representative option is selected, you will need to choose from one of the options below in order to proceed to the “Authorization / Consent page.”
    1. Parent or guardian of a minor
    2. Active healthcare power of attorney
    3. Court ordered guardianship
    4. Other
  • You will be presented a text field entry to enter the full name.
  • If the option "Other" is chosen, you are presented with a text field entry to enter the relationship to the member.
  • Click “Next” to proceed to the “Authorization / Consent page.”

7. Need to review the “Authorization / Consent page” and scroll to the bottom of the screen to click “I Agree” in order to “Authorize.”

Example of authorization / consent page

8. You will be redirected to your app's redirect screen and the "Authorization code" will be sent in the response URL. The "Authorization code" is valid for 1 hour.

Example of app redirect screen displaying the authorization code

Step 2: Generate a sample token

Access Token URL:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token

Example using curl syntax:

curl -v -k -H "Content-Type: application/x-www-formurlencoded;charset=UTF-8" -d"grant_type=authorization_code&code=[Insert_Auth_Code]&redirect_uri=[Insert_Redirect_URL]&client_id=[Insert_Client_Id]&client_secret=[Insert_Client_Secret]&state=test" https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token

State: An optional value that you may use in your app.

Response

{

 "access_token":

"eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qUW11aWxTTlJGUWp2bHNzaTJna",

 "patient": "2657",

 "scope": "clinical read openid profile",

 "id_token": "eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qU",

 "token_type": "bearer",

 "expires_in": 86399

}

The response will contain a “Patient ID” that needs to be used as a search criteria for API data requests.

Step 3: Try a sample API

Try this out in Postman:

1. From the Postman app, open a new tab.

2. Paste the Request URL:

With the access token, you can use Curl to make queries as follows:

curl --header "Authorization: Bearer YOUR TOKEN HERE"

https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/<FHIRPatientId>/$everything

NOTE: When a beneficiary is authorizing your application, they will not be presented the choice to select any scope. Only the app has the ability to choose what scope is required when making a request for the token.

3. Click “Send” and see the synthetic beneficiary’s personal health information as a Patient FHIR Resource display under “Body” in Postman.

Step 4: Configure your app to enable connectivity to Blue Cross NC with the following Authorization endpoint and the set of static ClientId and ClientSecret:

Auth URL:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize

Client ID: AJMP7iHHEfegyn2PMzTj

Client Secret: OHBJ8Pl9I2ilDZ5gRY74

Step 5: Accessing Synthetic Data In order to access the full synthetic dataset for an individual synthetic beneficiary, you can do the following:

1. Set up your sandbox application.

Access the authorization url at:

https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize/

Note: The last backslash is important. Also remember to append ?client_id={yourclient_id assigned to the application you registered}

2. You will be redirected to the Blue Cross authentication screen. DO NOT ACCESS THIS PAGE DIRECTLY.

3. The following test user account can be used for authentication and authorization:

Synthetic Beneficiary Accounts

SubscriberIDMemberCodeFirstNameLastNameDOB Zipcode
YPPJ1269564601BCNCFIRSTTHREEBCNCLASTTHREE06/06/1944 27030

4. Approve access for your application, which will now receive an access token, which can be used in the requests described above.

5. The authorization completes when you are redirected back to the Redirect_URI you specified when you registered your application.

FAQ

Authorization

To use the Blue Cross NC OAuth 2, a developer must register their application.

A registered application is given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Blue Cross NC API. Otherwise the Client Application Flow may be used.

NOTE: For sandbox environment, static clientId, clientSecret will be shared. This is registered by Blue Cross team internally with a static redirect URL and will need to be configured by the client in order to initiate authorization request.

Scopes

Access tokens have a scope, which defines what the access token can do and what resources it can access. For our purposes, scopes are primarily utilized to give beneficiaries more granular choice over what data they would like to share with applications. The Blue Cross NC API has implemented a default scope to restrict read & write access to only the clinical resources as defined by HL7:

Clinical/*.*

From the OpenID Connect specification we support:

profile

This gives access to the fhir/sb/R4/payer-to-payer/UserInfo Endpoint.

Our implementation gives apps the ability to choose OpenID scope. 

Example of developer sandbox authorization screen

If the beneficiary declines to share information that your application needs to function, you may display a message explaining why that information is needed and request reauthorization or handle the collection of that information elsewhere within your application.

The default selection when a beneficiary reaches the authorization screen will be to share all data, including demographic data, with your application. If a beneficiary makes a selection as to whether or not they want to share demographic data with your application and later decides they want to change that selection, they'll need to be taken through the authorization flow again to make a different choice from the OAuth screen.

Native Mobile App Support

Native Mobile App Support follows the RFC 8252 - OAuth 2.0 for Native Apps authentication flow utilizing the PKCE extension and enables a custom URI scheme redirect.

The implementation of the RFC 8252 specification enables developers to build mobile applications without requiring a proxy server to route redirect calls to their mobile app.

The PKCE extension provides a technique for public clients to mitigate the threat of a “man-in-the-middle” attack. This involves creating a secret that is used when exchanging the authorization code to obtain an access token.

PKCE uses a code challenge that is derived from a code-verifier. The standard supports two styles of code challenge:

  • plain
  • S256

Redirect_URI

When registering an Application, a redirect URI is required. This is the API endpoint on your system that receives the callback from the Blue Cross NC API after a beneficiary is passed to the Blue Cross NC API to authorize your application.

Web Application Flow

To use this flow, your application should be registered with Client Type set to confidential and Grant Type set to authorization-code.

Core Resources

Base Request URL:

https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-to-payer 

FHIR Resources:

  • All Clinical resources as defined in DaVinci IG - http://hl7.org/fhir/us/davincipdex/toc.html
    Note : Patient/<FHIRID>/$everything is supported and will need to be used by clients to initiate data request and receive a bundle response. Individual FHIR resources are not supported.

UserInfo:

  • Get User Profile from an Authorization Token.

FHIR Resource Bundle

/fhir/sb/R4/payer-to-payer/Patient/2657/$everything

The above URL returns all of the beneficiary’s clinical records as an FHIR Resource Bundle.

curl --header "Authorization: Bearer AUTHORIZATION TOKEN"
"https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"

That API call will return a bundle that contains many FHIR resources and is typically thousands of lines long.

{

 "resourceType": "Bundle",

 "id": "989f6d15-43e9-429f-97a5-93de5dc1e89b",

 "meta": {

 "lastUpdated": "2021-11-22T20:24:03.946-05:00"

 },

 "type": "searchset",

 "link": [

 {

 "relation": "self",

 "url": "https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"

 }

 ],

 "entry": [

 {

 "fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Patient/2657",

 "resource": {

 "resourceType": "Patient",

 "id": "2657",

 "meta": {

 "versionId": "2",

 "lastUpdated": "2021-11-22T14:53:07.885-05:00",

 "source": "#PuvVum8uEowtNfhY",

 "profile": [

 "http://hl7.org/fhir/us/carinbb/StructureDefinition/C4BB-Patient",

 "http://hl7.org/fhir/us/core/StructureDefinition/uscore-patient"

 ]

 },

 "identifier": [

 {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/v2-0203",

 "code": "MB"

 }

 ]

 },

 "system":

"http://bluecrossnc.com/fhir/memberidentifier",

 "value": "J1269564601"

 }

 ],

 "name": [

 {

 "family": "BCNCLASTTHREE",

 "given": [

 "BCNCFIRSTTHREE"

 ]

 }

 ],

 "gender": "female",

 "birthDate": "1944-06-06",

 "address": [

 {

 "line": [

 "23 WESTERN ST"

 ],

 "city": "MOUNT AIRY",

 "state": "NC",

 "postalCode": "27030"

 }

 ]

 },

 "search": {

 "mode": "match"

 }

 },

 {

 "fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Provenance/4e44a0f0-e723-3f1b-a6dea3f5023630d0",

 "resource": {

 "resourceType": "Provenance",

 "id": "4e44a0f0-e723-3f1b-a6de-a3f5023630d0",

 "meta": {

 "versionId": "1",

 "lastUpdated": "2021-08-04T08:58:05.801-04:00",

 "source": "#sAN2NtgMboFqXbTd",

 "profile": [

 "http://hl7.org/fhir/us/core/StructureDefinition/uscore-provenance"

 ]

 },

 "target": [

 {

 "reference": "Patient/2657",

 "identifier": {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/v2-0203",

 "code": "MB"

 }

 ]

 },

 "value": "J1269564601"

 }

 },

 {

 "reference": "Condition/26efcfd2-acfb-31bb-b2feb48574ff188f"

 },

 {

 "reference": "Procedure/6dac3a0e-283b-3a37-a1aab98214efa5ef"

 }

 ],

 "recorded": "2018-10-10T00:00:00.000-04:00",

 "agent": [

 {

 "type": {

 "coding": [

 {

 "system":

"http://terminology.hl7.org/CodeSystem/provenance-participant-type",

 "code": "author"

 }

 ]

 },

 "who": {

 "reference": "Organization/BCBSNC"

 }

 }

 ]

 },

 "search": {

 "mode": "match"

 }

 }

 ... this is only a subset of the entire output ...

Get User Profile for an Authorization Token

HTTP GET /connect/userinfo

The UserInfo Endpoint is an OAuth 2.0 Protected Resource. The above URL fetches the fictitious beneficiary’s basic account information given an Authorization Token. This is most often used when creating an account within your application. An HTTP GET is called and the response is returned as JSON.

curl --header "Authorization: Bearer AUTHORIZATION TOKEN"

"https://apiservicessb-ext.bcbsnc.com/v1/connect/userinfo"

{

 "sub": "fflinstone",

 "prefered_username": "fflinstone",

 "given_name": "Fred",

 "family_name:, "Flinstone,

 "name": "Fred Flinstone",

 "email": "pebbles-daddy@example.com",

 "created": "2017-11-28",

 "patient": "123456789",