Log In
To test out the Blue Cross and Blue Shield of North Carolina (Blue Cross NC) API, you must first generate an authorization code and a sample token that represents a member granting consent.
Below are few details you will need for generating the code:
Client ID: AJMP7iHHEfegyn2PMzTj
Client Secret: OHBJ8Pl9I2ilDZ5gRY74
RedirectURL: https://oidcdebugger.com/debug
Scope:
clinical openID FHIRUser
https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize?response_type=code&client_id=AJMP7iHHEfegyn2PMzTj&redirect_uri=https://oidcdebugger.com/debug&scope=openid%20read%20profile%20clinical&state=test123
The following test user accounts can be used for authentication and authorization:
| SubscriberID | MemberCode | FirstName | LastName | DOB | Zipcode |
|---|---|---|---|---|---|
| YPPJ12695646 | 01 | BCNCFIRSTTHREE | BCNCLASTTHREE | 06/06/1944 | 27030 |
Access Token URL:
https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token
Example using curl syntax:
curl -v -k -H "Content-Type: application/x-www-formurlencoded;charset=UTF-8" -d"grant_type=authorization_code&code=[Insert_Auth_Code]&redirect_uri=[Insert_Redirect_URL]&client_id=[Insert_Client_Id]&client_secret=[Insert_Client_Secret]&state=test" https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/token
State: An optional value that you may use in your app.
Response
{
"access_token":
"eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qUW11aWxTTlJGUWp2bHNzaTJna",
"patient": "2657",
"scope": "clinical read openid profile",
"id_token": "eyJraWQiOiJ3QThGR3hrM3pWa1FrYU9qU",
"token_type": "bearer",
"expires_in": 86399
}
The response will contain a “Patient ID” that needs to be used as a search criteria for API data requests.
Try this out in Postman:
With the access token, you can use Curl to make queries as follows:
curl --header "Authorization: Bearer YOUR TOKEN HERE"
https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/<FHIRPatientId>/$everything
NOTE: When a beneficiary is authorizing your application, they will not be presented the choice to select any scope. Only the app has the ability to choose what scope is required when making a request for the token.
Auth URL:
https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize
Client ID: AJMP7iHHEfegyn2PMzTj
Client Secret: OHBJ8Pl9I2ilDZ5gRY74
Access the authorization url at:
https://oauthp2psb.bcbsnc.com/CMSP2PMemberSB/sps/oauth/oauth20/authorize/
Note: The last backslash is important. Also remember to append ?client_id={yourclient_id assigned to the application you registered}
Synthetic Beneficiary Accounts
| SubscriberID | MemberCode | FirstName | LastName | DOB | Zipcode |
|---|---|---|---|---|---|
| YPPJ12695646 | 01 | BCNCFIRSTTHREE | BCNCLASTTHREE | 06/06/1944 | 27030 |
Authorization
To use the Blue Cross NC OAuth 2, a developer must register their application.
A registered application is given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Blue Cross NC API. Otherwise the Client Application Flow may be used.
NOTE: For sandbox environment, static clientId, clientSecret will be shared. This is registered by Blue Cross team internally with a static redirect URL and will need to be configured by the client in order to initiate authorization request.
Scopes
Access tokens have a scope, which defines what the access token can do and what resources it can access. For our purposes, scopes are primarily utilized to give beneficiaries more granular choice over what data they would like to share with applications. The Blue Cross NC API has implemented a default scope to restrict read & write access to only the clinical resources as defined by HL7:
Clinical/*.*
From the OpenID Connect specification we support:
profile
This gives access to the fhir/sb/R4/payer-to-payer/UserInfo Endpoint.
Our implementation gives apps the ability to choose OpenID scope.
If the beneficiary declines to share information that your application needs to function, you may display a message explaining why that information is needed and request reauthorization or handle the collection of that information elsewhere within your application.
The default selection when a beneficiary reaches the authorization screen will be to share all data, including demographic data, with your application. If a beneficiary makes a selection as to whether or not they want to share demographic data with your application and later decides they want to change that selection, they’ll need to be taken through the authorization flow again to make a different choice from the OAuth screen.
Native Mobile App Support
Native Mobile App Support follows the RFC 8252 - OAuth 2.0 for Native Apps authentication flow utilizing the PKCE extension and enables a custom URI scheme redirect.
The implementation of the RFC 8252 specification enables developers to build mobile applications without requiring a proxy server to route redirect calls to their mobile app.
The PKCE extension provides a technique for public clients to mitigate the threat of a “man-in-the-middle” attack. This involves creating a secret that is used when exchanging the authorization code to obtain an access token.
PKCE uses a code challenge that is derived from a code-verifier. The standard supports two styles of code challenge:
Redirect_URI
When registering an Application, a redirect URI is required. This is the API endpoint on your system that receives the callback from the Blue Cross NC API after a beneficiary is passed to the Blue Cross NC API to authorize your application.
Web Application Flow
To use this flow, your application should be registered with Client Type set to confidential and Grant Type set to authorization-code.
Core Resources
Base Request URL:
https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-to-payer
FHIR Resources:
UserInfo:
FHIR Resource Bundle
/fhir/sb/R4/payer-to-payer/Patient/2657/$everything
The above URL returns all of the beneficiary’s clinical records as an FHIR Resource Bundle.
curl --header "Authorization: Bearer AUTHORIZATION TOKEN"
"https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"
That API call will return a bundle that contains many FHIR resources and is typically thousands of lines long.
{
"resourceType": "Bundle",
"id": "989f6d15-43e9-429f-97a5-93de5dc1e89b",
"meta": {
"lastUpdated": "2021-11-22T20:24:03.946-05:00"
},
"type": "searchset",
"link": [
{
"relation": "self",
"url": "https://apiservicessb-ext.bcbsnc.com/fhir/sb/R4/payer-topayer/Patient/2657/$everything"
}
],
"entry": [
{
"fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Patient/2657",
"resource": {
"resourceType": "Patient",
"id": "2657",
"meta": {
"versionId": "2",
"lastUpdated": "2021-11-22T14:53:07.885-05:00",
"source": "#PuvVum8uEowtNfhY",
"profile": [
"http://hl7.org/fhir/us/carinbb/StructureDefinition/C4BB-Patient",
"http://hl7.org/fhir/us/core/StructureDefinition/uscore-patient"
]
},
"identifier": [
{
"type": {
"coding": [
{
"system":
"http://terminology.hl7.org/CodeSystem/v2-0203",
"code": "MB"
}
]
},
"system":
"http://bluecrossnc.com/fhir/memberidentifier",
"value": "J1269564601"
}
],
"name": [
{
"family": "BCNCLASTTHREE",
"given": [
"BCNCFIRSTTHREE"
]
}
],
"gender": "female",
"birthDate": "1944-06-06",
"address": [
{
"line": [
"23 WESTERN ST"
],
"city": "MOUNT AIRY",
"state": "NC",
"postalCode": "27030"
}
]
},
"search": {
"mode": "match"
}
},
{
"fullUrl": "https://apiservicessbext.bcbsnc.com/fhir/sb/R4/payer-to-payer/Provenance/4e44a0f0-e723-3f1b-a6dea3f5023630d0",
"resource": {
"resourceType": "Provenance",
"id": "4e44a0f0-e723-3f1b-a6de-a3f5023630d0",
"meta": {
"versionId": "1",
"lastUpdated": "2021-08-04T08:58:05.801-04:00",
"source": "#sAN2NtgMboFqXbTd",
"profile": [
"http://hl7.org/fhir/us/core/StructureDefinition/uscore-provenance"
]
},
"target": [
{
"reference": "Patient/2657",
"identifier": {
"type": {
"coding": [
{
"system":
"http://terminology.hl7.org/CodeSystem/v2-0203",
"code": "MB"
}
]
},
"value": "J1269564601"
}
},
{
"reference": "Condition/26efcfd2-acfb-31bb-b2feb48574ff188f"
},
{
"reference": "Procedure/6dac3a0e-283b-3a37-a1aab98214efa5ef"
}
],
"recorded": "2018-10-10T00:00:00.000-04:00",
"agent": [
{
"type": {
"coding": [
{
"system":
"http://terminology.hl7.org/CodeSystem/provenance-participant-type",
"code": "author"
}
]
},
"who": {
"reference": "Organization/BCBSNC"
}
}
]
},
"search": {
"mode": "match"
}
}
... this is only a subset of the entire output ...
Get User Profile for an Authorization Token
HTTP GET /connect/userinfo
The UserInfo Endpoint is an OAuth 2.0 Protected Resource. The above URL fetches the fictitious beneficiary’s basic account information given an Authorization Token. This is most often used when creating an account within your application. An HTTP GET is called and the response is returned as JSON.
curl --header "Authorization: Bearer AUTHORIZATION TOKEN"
"https://apiservicessb-ext.bcbsnc.com/v1/connect/userinfo"
{
"sub": "fflinstone",
"prefered_username": "fflinstone",
"given_name": "Fred",
"family_name:, "Flinstone,
"name": "Fred Flinstone",
"email": "pebbles-daddy@example.com",
"created": "2017-11-28",
"patient": "123456789",
}
Blue Cross and Blue Shield of North Carolina does not discriminate on the basis of race, color, national origin, sex, age or disability in its health programs and activities. Learn more about our non-discrimination policy and no-cost services available to you.
Information in other languages: Español 中文 Tiếng Việt 한국어 Français العَرَبِيَّة Hmoob ру́сский Tagalog ગુજરાતી ភាសាខ្មែរ Deutsch हिन्दी ລາວ 日本語
© 2025 Blue Cross and Blue Shield of North Carolina. ®, SM Marks of the Blue Cross and Blue Shield Association, an association of independent Blue Cross and Blue Shield plans. All other marks and names are property of their respective owners. Blue Cross and Blue Shield of North Carolina is an independent licensee of the Blue Cross and Blue Shield Association.