CMS Blue Button 2.0 Authorization and UserInfo API
OAuth 2.0 authorization-code flow with mandatory PKCE (S256) that beneficiaries use to grant an app access to their Medicare data via Medicare.gov login, plus the /v2/connect/userinfo endpoint returning the authorized user's OpenID Connect profile. Access tokens last one hour; one-time-use refresh tokens are issued to approved 13-month and research application types.