CMS Blue Button 2.0 · Rate Limits

Cms Blue Button Rate Limits

CMS does not publish fixed numeric request-rate limits for the Blue Button 2.0 API. Consumption is naturally bounded by the access model - every access token is scoped to a single beneficiary who authorized the app via Medicare.gov, access tokens expire after one hour, and refresh tokens are one-time-use and only issued to approved 13-month and research application types. Result volume per request is governed by FHIR paging (_count and startIndex) rather than a documented throttle ceiling.

Cms Blue Button Rate Limits is the machine-readable rate-limit profile for CMS Blue Button 2.0 on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 5 rate-limit definitions, measuring requests, time, uses, patients, and records.

The profile also includes 3 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Blue Button, CARIN, Medicare, FHIR, and Claims Data.

5 Limits Throttle: 429
Blue ButtonCARINMedicareFHIRClaims DataRate LimitingQuotas

Limits

API Request Rate application
requests
not published
No fixed numeric request-rate limit is documented for sandbox or production.
Access Token Lifetime token
time
1 hour
Access tokens expire after one hour; apps must re-authorize or use a refresh token.
Refresh Token Use token
uses
1 (one-time use)
Refresh tokens are single-use and only issued to approved 13-month and research application types; reuse returns invalid_grant.
Beneficiary Scope token
patients
1 per authorization
Each token reaches exactly one beneficiary's data; there is no bulk access through Blue Button 2.0.
Result Page Size request
records
configurable via _count
Bundles are paged with _count and startIndex; large EOB histories should be paged rather than pulled in one request.

Policies

Incremental Polling
Use the _lastUpdated search parameter to fetch only records changed since the previous pull instead of re-reading full claim histories.
Backoff Strategy
Implement exponential backoff with jitter and honor Retry-After on 429 or 5xx responses.
Consent Revocation
Beneficiaries can revoke an app's access at any time via Medicare.gov; apps must handle invalidated tokens gracefully.

Sources