The CareFirst API Platform is following industry-standard protocols to expose CareFirst API(s) using the REST/JSON and OAuth 2.0 security protocols. API stands for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other.

Developers need to register their application in the sandbox to start building and testing their application. Once the application is tested in the sandbox with non-production data, the developer can promote the configuration to production and request approval. CareFirst will approve the application to connect to the production environment.

CareFirst has multiple plans like CHPCDC, CHPMD, etc. Documentation and API(s) use lines of businesses (LOB) terms. Please refer to the additional information section for more details.

CareFirst APIs are secured using the OAuth 2.0 security protocol, which is the industry-standard for applications to integrate APIs. OAuth 2.0 is an authorization framework that allows applications to obtain limited access to user information via APIs.

Additionally, all consumer applications must include an HTTP header (x-api-subscription-key) with a valid subscription key assigned to their application.

CareFirst uses OAuth 2.0 protocols for authentication since APIs exchange members' protected health information with third-party applications upon authorization from the member. To access CareFirst's APIs in the sandbox, your application needs to use the Authorization Code grant type.

OAuth Grant Types

Authorization Code

The Authorization Code grant type is used by web and mobile apps. It is used by both web apps and native apps to obtain an access token after a user authorizes an application. Below are very high-level steps:

• The application opens a browser to send the user to the OAuth server.
• The user authenticates and grants the application access.
• The user is redirected back to the application with an authorization code.
• The application requests an access token from the OAuth server by presenting the authorization code.

Client Credentials

This flow is useful when the party that requires access to an API is a machine. This is a machine-to-machine authorization flow. In this case, the client is the resource owner, and no end-user authorization is required. An example is a CRON job as a client calling an API to do some function.

Developers can register themselves in the API Marketplace as either an Individual Developer or a Company Developer. Company registration includes various types of healthcare organizations such as payers, brokers, and partners.

Note: This registration process is only for external developers. If you are an Internal CareFirst Developer, you can access the API Marketplace directly using Single Sign-On (SSO) with your CareFirst credentials.

Click the Register button located at the top-right corner of the API Marketplace. You will be redirected to the registration page, where you must select the appropriate developer type from the option below:

• Healthcare Individual Developer

Developers or technical account representatives from external health insurance entities who seek to innovate the healthcare industry by creating applications that allow patients to access their data from CareFirst.

Step 1: Developer Information

After selecting a developer type, you will be redirected to the Developer Information page. A multi-step form will appear, and you must complete all required fields to proceed with registration.

In this step, provide the details of the primary point of contact for your organization. This individual will be responsible for managing communication and coordination related to your application.

Required Fields:

• First Name*

Example: John

Enter the first name of the contact person.

• Last Name*

Example: Doe

Enter the last name of the contact person.

• Account Email*

Example: john.doe@caretechsolutions.com

Enter the official email address of the contact. This will be used for all formal communications.

• From Company*

Example: CareTech Solutions

Enter the name of the company or organization the primary contact represents.

• Phone Number*

Example: +1 (410) 555-7890

Provide a direct phone number where the primary contact can be reached during business hours.

Select the checkbox to agree to the following:

By providing my wireless phone number, I agree and acknowledge that CareFirst may send text messages to my wireless phone number for OTP Authentication. Message and data rates may apply.

Once all fields are completed, click the Next button to proceed to the next step.

To return to the previous page, click the Back button.

Step 2: Confirm Phone Number

This step ensures that the phone number provided is valid and accessible, as it will be used for authentication and important system communications.

A 6-digit security code has been sent to your email.
Please check your messages and enter the code below.

Note: The code will expire after 3 minutes or if you request a new one.

Once all fields are completed, click the Next button to proceed to the next step.

To return to the previous page, click the Back button.

You may also click the Resend OTP button if you did not receive the code, and the Verify button to confirm the entered code.

Step 3: Confirm Email Address

A 6-digit security code has been sent to your email.
Please check your messages and enter the code below.

Note: The code will expire after 3 minutes or if you request a new one.

This step ensures that the email address provided is valid and accessible, as it will be used for authentication and important system communications.

Once all fields are completed, click the Next button to proceed to the next step.

To return to the previous page, click the Back button.

You may also click the Resend OTP button if you did not receive the code, and the Verify button to confirm the entered code.

Step 4: Set Password

In this step, you will create a secure password for your account. This password, along with your registered email address, will be used to log in to the API Marketplace.

Required Fields:

• Password*:

Example: P@ssw0rd!23

Create a strong password that meets security requirements. It should include a combination of uppercase and lowercase letters, numbers, and special characters.

• Set Password*

Example: P@ssw0rd!23

Re-enter the same password to confirm it matches. This ensures there are no typos or mismatches.

Once all fields are completed, click the Next button to proceed to the next step.

To return to the previous page, click the Back button.

Step 5: Terms of Use

Required Fields:

In this step, you are required to review and accept the Terms of Use before completing your registration.

These Terms of Use (Agreement) apply to your use of any CareFirst materials or services for which you have been or may be granted access.

Select the checkbox to confirm your agreement and click the Submit button to proceed to the confirmation page.

To return to the previous page, click the Back button.

After clicking the Submit button, the user will be redirected to a confirmation page.

Click on the Log In button from the Menu bar.

Enter your registered email address and click Continue.

You will receive an OTP (One-Time Password) code sent to your account email. Enter this OTP code and click Verify.

Upon successful OTP verification, you will be prompted to enter your password.

After entering your password, you will be logged in as a developer and can access the API Marketplace.

Note: If you don't receive the code, please check your spam folder or request a new one.

Follow the steps below to register a new application in the API Marketplace.

Step 1: Accessing the API Marketplace

To begin the application registration process, the user must log in as either an External Developer or an Internal Developer.

Once logged in, navigate to My Workspace, located at the top-right corner of the portal. Under My Workspace, select the Manage Application option.

Clicking on Manage Application will redirect the user to the application management page. On this page, at the bottom, the user will find a New App Registration button. Clicking this button initiates the creation of a new application.

Step 2: After clicking New App Registration, a multi-step form will appear. The user must complete all steps to successfully register the application.

Completing the Registration Form.

Application Details

In this step, provide the following required information:

• Application Component Name

Example: CFClaimsViewer

Enter the display name of the application component.

• Application Component Description

Example: A web-based tool for viewing and managing healthcare claims data.

Provide a detailed description of the application component.

• Business Purpose*

Example: This application allows providers to access CareFirst APIs to retrieve patient claims data for billing and reconciliation.

Clearly explain the business purpose and use case for the application. Include why access to CareFirst APIs is required and how the application will utilize them.

• Application URL*

Example (External): https://example.com

Example (Internal): https://www.carefirst.com

Provide the primary URL where the application is hosted. This should be the main address users will visit to access the application.

Note: For internal users, use https://www.carefirst.com as a placeholder if an external-facing URL is not applicable.

• Outbound IPs

Example: 192.168.1.10, 192.168.1.11

List the public outbound IP addresses that the application will use to connect to CareFirst APIs. These IPs are required for whitelisting if the application operates outside the CareFirst network.

• Attestation Certificates URL

Example: https://example.com/certs

Provide the URL where the application's attestation certificates can be accessed.

• App Logo URL

Example: https://example.com/logo.png

Provide the URL for the application's logo.

• Privacy Policy URL

Example: https://example.com/privacy

Enter link to the application's privacy policy.

• Terms of Use URL

Example: https://example.com/terms

Enter link to the application's terms of use.

Once all fields are completed, click the Continue button to proceed to the next step.

Step 3: Security Scheme

In this step, provide the following required information to define how your application will securely interact with our APIs:

• Client App Security Type

Example: OAuth 2.0

Select the authentication method your application will use. We recommend OAuth 2.0 for most applications, as it offers enterprise-grade security and is the standard protocol supported by our platform. If you select OAuth 2.0, additional fields such as Application Type and Response Type will appear.
Alternatively, you may choose API Key authentication.

Note: API Key authentication is limited to a small set of low-risk APIs and requires explicit approval. Due to the manual approval process, API Key requests may take longer to process.

• Application Type

Example: Server-based Web App

Choose the type of application you are building:

• System-to-System Apps - Designed for server-to-server communication.
• Server-based Web Apps - Applications that run on your server with backend logic.
• SPA Apps - Single-page applications that run entirely in the browser.
• Response Type

Example: code

This field will appear based on your selected authentication method.

Once all fields are completed, click the Continue button to proceed to the next step.

Step 4: Support Contact Information

In this step, provide the following contact details to ensure proper communication and support:

• Support Distribution Email

Example:support@example.com

Enter the email address that will receive notifications and important updates related to your application. Additionally, this email will be used to communicate credential and certification expiration/renewal notices.

• US Support Contact Phone Number

Example:+1 (800) 555-1234

Provide a U.S.-based phone number where our support team can reach the primary contact for your application.

Once all fields are completed, click the Continue button to proceed.

Step 5: Review and Submit

Carefully review all the information you've entered throughout the registration process.

• To make changes, use the Back button.
• If everything is accurate, click Submit to complete the registration.

Step 6: Confirmation

After submission, a confirmation message will appear indicating that your application registration is complete.

If an error occurs, please contact Customer Support for assistance.

Post-Approval Access

Once your application is approved for the specified API(s), it will be available for testing and development.

• External Developers will have access to the Sandbox environment.
• Internal Developers will see all available environments, including deva, sita, uat, pit, and prod.

Important:
After successfully creating an application, users must add the required APIs by navigating to Manage APIs.
Creating an application alone is not sufficient—APIs must be explicitly added to enable functionality.

On the View Application page, users can:

• View the application details along with the associated APIs.
• Access the Promote Application button, located at the bottom of the page.

If the user wishes to promote the application to a higher environment, they can do so from this page.

• If the application has not yet been Promoted to the target environment, both the application and its associated APIs will be deployed.
• If the application is already promoted, only the APIs will be deployed.

After registration, users can update specific fields using the Edit Application option. This allows for modifications to selected values without needing to recreate the application.

This page allows users to manage their credentials.

When renewing credentials, always ensure your applications are using the alternate key before proceeding to avoid service interruption. Renew keys regularly and immediately if compromised.

Primary Credential

• Primary Subscription Key

Example: sub-key-abc123xyz

Users can toggle the visibility of the Primary Subscription Key using the eye icon in the field. A Renew button is available on the right side, allowing users to renew the key.

• Client ID

Example: client-id-987654321

Users can toggle the visibility of the Client ID using the eye icon in the field.

• Primary Client Secret

Example: secret-key-xyz987abc

Users can toggle the visibility of the Primary Client Secret using the eye icon in the field. A Renew button is available on the right side, allowing users to renew the secret.

• Expiring On

Example: 2025-12-31

Displays the expiration date of the Primary Client Secret.

• Scope

Example:scope value

Displays the scope value associated with the credentials.

Secondary Credential

• Secondary Subscription Key

Example: sub-key-abc123xyz

Users can toggle the visibility of the Primary Subscription Key using the eye icon in the field. A Renew button is available on the right side, allowing users to renew the key.

• Client ID

Example: client-id-987654321

Users can toggle the visibility of the Client ID using the eye icon in the field.

• Secondary Client Secret

Example: secret-key-xyz987abc

Users can toggle the visibility of the Secondary Client Secret using the eye icon in the field. A Renew button is available on the right side, allowing users to renew the secret.

• Expiring On

Example: 2025-12-31

Displays the expiration date of the Secondary Client Secret.

• Scope

Example:scope value

Displays the scope value associated with the credentials.

This page allows users to view and manage all available APIs.

At the bottom of the page, users will find an Add/Remove API(s) button. Clicking this button redirects the user to another page where they can add or remove APIs for a specific application.

On the redirected page, users can utilize filter options such as Filter By and API Type to narrow down the list of APIs based on their preferences.

• Filter By

Example: API Name, Environment, Status

• API Type

Example: FHIR, REST, GraphQL

To get your application approved, you need to submit a request through the Contact Us form with the subject "Application Approval Request."

Once your application has been registered, approved in the sandbox, and you have received valid credentials, you can utilize the Authorization code grant type to access the APIs through your application or tools such as Postman. It's important to conduct comprehensive testing in the sandbox environment before promoting your application to production.

Please refer to the additional information section for more details about different endpoints and test data with respect to different lines of business or plans.

Authorization URI example. Please refer to the additional information section for LOB/plan specific endpoints.

https://idp-pit.carefirst.com/fhir-oauth2/sec/{{LOB}}/authorize?aud=testaud&redirect_uri=http://localhost:8080&state=qwertyuop&scope=openid&client_id={{client_id}}&response_type=code

The following parameter values need to be changed:

• Replace {{LOB}} with the LOB name you plan to test. Please refer to the additional information section for the LOB name.
• Replace {{client_id}} with your application client ID.
• redirect_uri
• scopes
• state
• aud

On a successful call, you should have the authorization code in your redirect URI.

After receiving the application credentials and the authorization code, send a POST request against the Access Token endpoint using the URL, headers, and body content below. Please refer to the additional information section for LOB/plan specific endpoints.

URL

POST https://idp-pit.carefirst.com/fhir-oauth2/pub/{{lob}}/token

Headers

Body

Once your application has been registered, approved in the sandbox, and you have received valid credentials, you can utilize the Client Credentials grant type to access the APIs through your application or tools such as Postman. It's important to conduct comprehensive testing in the sandbox environment before promoting your application to production.

Once you have received the application credentials, please proceed to send an HTTP POST request to the access token endpoint. Ensure to include the specified parameters in the HTTP body.

Headers

Body

Before moving to production, ensure your application has been thoroughly tested in the sandbox environment with all required APIs and functionality.

Once testing is complete, you can promote your application to production by following the steps outlined in the Promote application to production section.

After successful promotion and CareFirst approval, you can begin calling CareFirst APIs in the production environment using your production credentials.

Important: Production APIs handle live data and require proper approval before access is granted. Make sure your application meets all security and compliance requirements.

This section provides comprehensive information about CareFirst APIs, organized into two categories:

CareFirst Line of Businesses implementing CMS Interoperability mandate

CMS Interoperability mandate API(s) implemented by LOB(s)

Credentials of test users in sandbox for testing Patient Access API

Sandbox Well-Known /Smart Configuration Patient Access API Endpoints

Sandbox Patient Access API Endpoints

Sandbox Well-Known /Smart Configuration Payer Access API Endpoints

Sandbox Payer Access API Endpoints

Sandbox Well-Known /Smart Configuration Provider Directory API Endpoints

Sandbox Provider Directory API Endpoints

Production Well-Known/Smart Configuration for Patient Access API Endpoints

Production Patient Access API Endpoints

Production Well-Known/Smart Configuration Payer Access API Endpoints

Production Payer Access API Endpoints

Production Provider Directory API Endpoints

The following tables provide configuration details for different personas and environments available in the CareFirst API platform. Use the appropriate URLs and scopes based on your persona and target environment:

Internal Developers

Internal developers have access to all development, testing, and production environments with comprehensive API access and scopes.

External Developers

External developers have limited access to sandbox and production environments.

Important Notes:

• Scope Values: The scope values provided above are current as of this documentation. Always check your application's credentials page for the most up-to-date scope values, as these may change over time.

You may get help by using the FAQ, Contact Us, and Documentation pages from the Help Center.

If you have a question or need additional assistance, please reach out to our team by using the Contact Us form located in the Help Center.