Sign inDemoInstall


Package Overview
File Explorer

Install Socket

Detect and block malicious and high-risk dependencies



An SDK used for interacting with the CMS Blue Button 2.0 API




Python SDK for Blue Button 2.0 API

This Python software development kit (SDK) provides tools and resources for developers integrating with the CMS Blue Button 2.0 (BB2.0) API.

Table of Contents


You'll need a sandbox account and sample access token to access data from the Blue Button 2.0 API.

To learn how to create a sandbox account and generate a sample access token, see Try the API.


pip install cms-bluebutton-sdk

Configuration Parameters

Required SDK configuration parameters include:

environmentSANDBOX or PRODUCTIONSANDBOXBlue Button 2.0 API environment
version1 or 22Blue Button 2.0 version
client_idyour_client_idOAuth2.0 client ID of your app
client_secretyour_client_secretOAuth2.0 client secret of your app
callback_url callback URL of your app

Access Token Refresh on Expire

SDK FHIR requests check whether the access token is expired before the data endpoint call. By default, an expired token will refresh. To disable token refresh, set token_refresh_on_expire to false.

FHIR Requests Retry Settings

Retry is enabled by default for FHIR requests. The folllowing parameters are available for the exponential back off retry algorithm.

Retry parameterValue (default)Description
backoff_factor5Backoff factor in seconds
total 3Max retries
status_forcelist[500, 502, 503, 504]Error response codes to retry on

The exponential backoff factor (in seconds) is used to calculate interval between retries using the formula backoff_factor * (2 ** (i - 1)) where i starts from 0.


A backoff_factor of 5 seconds generates the wait intervals: 2.5, 5, 10, ...

To disable the retry, set total = 0

Environments and Data

The Blue Button 2.0 API is available in V1 and V2 in a sandbox and production environment.

Version data formats:

  • V1: FHIR STU3
  • V2: FHIR R4

Sample configuration JSON with default version and environment:

  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "callback_url": "",

If needed, you can set your application's target environment and API version.


  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "callback_url": "",
  "version": "2",
  "environment": "PRODUCTION"

Configuration Methods

There are three ways to configure the SDK when instantiating a BlueButton class instance.

Python Dictionary

- A dictionary of configuration key:value pairs can be used.
- Configuration values can be provided from your own application's configuration method.
- Example code:
  bb = BlueButton({
           "environment": "PRODUCTION",
           "client_id": "your_client_id",
           "client_secret": "your_client_secret",
           "callback_url": "",
           "version": 2,
           "retry_settings": {
               "total": 3,
               "backoff_factor": 5,
               "status_forcelist": [500, 502, 503, 504]

JSON config file

- This is using a configuration file that is in a JSON format.
- This is stored in a local file.
- The default location is in the current working directory with a file name: .bluebutton-config.json
- Example code:
  bb = BlueButton("settings/my_bb2_sdk_conf.json")
- Example JSON in file:
      "environment": "SANDBOX",
      "client_id": "your_client_id",
      "client_secret": "your_client_secret",
      "callback_url": "",
      "version": 2,
      "retry_settings": {
          "total": 3,
          "backoff_factor": 5,
          "status_forcelist": [500, 502, 503, 504]

YAML config file

- This is using a configuration file that is in a YAML format.
- This is stored in a local file.
- The default location is in the current working directory with a file name: .bluebutton-config.yaml
- Example code:
  bb = BlueButton("settings/my_bb2_sdk_conf.yaml")
- Example YAML in file:
  environment: "SANDBOX"
  client_id: "id"
  client_secret: "your_client_secret"
  callback_url: ""
  version: 2

Sample Usage: Obtain Access Grant, Probe Scope, and Access Data

Below are code snippets showing the SDK used with Python server and Flask.

from flask import Flask
from flask import redirect, request
from cms_bluebutton import BlueButton, AuthorizationToken

# initialize the app
app = Flask(__name__)

# Instantiate SDK class instance via conf in file
bb = BlueButton()

# auth_data is saved for the current user
auth_data = bb.generate_auth_data()

AuthorizationToken holds access grant info:
  access token, expire in, expire at, token type, scope, refreh token, etc.
It is associated with current logged in user in real app.
Check SDK python docs for more details.

auth_token = None

# Start authorize flow: Response with URL to redirect to beneficiary login
@app.route("/", methods=["GET"])
def get_auth_url():
    return bb.generate_authorize_url(auth_data)

@app.route('/api/bluebutton/callback/', methods=['GET'])
def authorization_callback():
    request_query = request.args
    code = request_query.get('code')
    state = request_query.get('state')

    auth_token = bb.get_authorization_token(auth_data, code, state)

    Now access token obtained.

    Note: During authorization, the beneficiary can grant
    access to their demographic data and claims data or only claims data.

    Check the scope
    of the current access token as shown below:
    scopes = auth_token.scope

    # iterate scope entries here or check if a permission is in the scope
    if "patient/" in scopes: 
        # patient info access granted

    1. access token scope where demographic info included:
    scope: [
    2. access token scope where demagraphic info not included:
    scope: [
    config = {
        "auth_token": auth_token,
        "params": {},
        "url": "to be overriden"

    result = {}

    # fetch eob, patient, coverage, profile
        eob_data = bb.get_explaination_of_benefit_data(config)
        result['eob_data'] = eob_data['response'].json()
        eob_data = eob_data['response'].json()
        result['eob_data'] = eob_data

        # A FHIR search response can result in a large number of resources. 
        # For example, an EOB search of a beneficiary could return hundreds 
        # of resources. By default, search results are grouped into
        # pages with 10 resources each. For example, 
        # bb.get_explaination_of_benefit_data(config) returns the
        # first page of resources as a FHIR bundle with a link section 
        # of page navigation URLs. Pagination link names include 
        # 'first,' 'last,' 'self,' next,' and 'previous.' 
        # To get all the pages, use bb.get_pages(data, config).
        eob_pages = bb.get_pages(eob_data, config)
        result['eob_pages'] = eob_pages['pages']
        auth_token = eob_pages['auth_token']

        pt_data = bb.get_patient_data(config)
        result['patient_data'] = pt_data['response'].json()

        coverage_data = bb.get_coverage_data(config)
        result['coverage_data'] = coverage_data['response'].json()

        profile_data = bb.get_profile_data(config)
        result['profile_data'] = profile_data['response'].json()
    except Exception as ex:

    return result

if __name__ == '__main__':, host='', port=3001)

Sample App

For a complete Python React sample app, see CMS Blue Button Python Sample App.

About the Blue Button 2.0 API

The Blue Button 2.0 API provides Medicare enrollee claims data to applications using the OAuth2.0 authorization flow. We aim to provide a developer-friendly, standards-based API that enables people with Medicare to connect their claims data to the applications, services, and research programs they trust.


The CMS Blue Button 2.0 Python SDK is licensed under the Creative Commons Zero v1.0 Universal. For more details, see License.


We do our best to keep our SDKs up to date with vulnerability patching and security testing, but you are responsible for your own review and testing before implementation.

To report vulnerabilities, please see the CMS Vulnerability Disclosure Policy and follow the directions for reporting.

Help and Support

Got questions? Need help troubleshooting? Want to propose a new feature? Contact the Blue Button 2.0 team and connect with the community in our Google Group.


Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.


Related posts

SocketSocket SOC 2 Logo


  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc