Receiving P2P Data

How Payers receive member Payer2Payer data from our payer customers P2P Send APIs

1. Register in 1up Dev Console

  1. 1.
    Create a Developer Account Using our Developer Portal following the steps here (if you haven't already done so).
  2. 2.
    Create an application with your app's redirect_uris (where the authorization code will be sent after the user authorizes their health plan data be shared with your app) and securely save your client ID and secret. If you have multiple redirect_uris you can enter them in a comma separated list like in example below. Note - you may not use a localhost redirect with our PROD environments, but can in our sandbox while testing and developing. http://redirect1/callback,http://redirect2/callback,http://redirect3/callback

2. Submit Evidence for being a Payer

We will need to verify you as a member of a health insurance organization before granting access to our Payer 2 Payer APIs.
To do this, you must send an email from your company email address to payer2payer@, [email protected]with the following information:
  • Your Name
  • Your Health Insurance company name
  • Link to your payer company website
  • On the email please cc the executive business sponsor for the Payer2Payer project (e.g., CIO) from the payer organization. We will ask them to verify the request is on behalf of their payer organization
We will review your information and ask any additional follow up questions as needed.

3. Test with our Sandbox

After following the steps above, we will sync your app credentials with our Demo Health Plan Environment.

Step 1: User Authorization to receive a OAuth 2 code

Your application will use a stand_alone launch and directly hit our authorization server endpoint. When you hit this endpoint, you will need to include the following query parameters.
  • client_id: This must contain the client_id of the application you previously registered in the 1upHealth developer console.
  • redirect_uri: This must contain the redirect_uri you registered with your application.
  • state: If you choose to pass a state with the request, the authorization server will simply return it as a query string parameter when redirecting to your application. This parameter is not required but it is recommended that it is used to confirm the validity of a session. See more here.
Here is a sample request to our Demo Health Plan endpoint with variables that you need to fill in:{your_app_client_id}&state={state}&redirect_uri={your_app_redirect_uri}
When you arrive at the authorization page the user will need to verify their identity through their email. To test in our 1up Demo Health Plan environment, enter the following information:
  1. 1.
    Click "Create an account"
  2. 2.
    Enter the following information for one of our synthetic users loaded to our sandbox environment:
Test Member 1
First Name
Last Name
Member ID
Postal Code
3. Enter your own email to be temporarily associated with the test user above.
4. At the end of the authorize process the user will will be sent back to the redirect_uri you registered with your application client ID that you included as a URL parameter above, and will include the OAuth 2.0 auth code passed back as a query parameter. This authorization code expires in 5 minutes.

Step 2: Exchange Code for Token

You will receive an authorization code in the response from above which you can exchange for an OAuth 2 access token using our endpoint. This authorization code expires in 5 minutes. Below is a sample request where you will need to fill in your app details.
Here is a Postman collection with the APIs to exchange the OAuth 2 code for a token, and use that token to query FHIR resources:
Run in Postman
curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={your_client_id}' \
--data-urlencode 'client_secret={your_client_secret}' \
--data-urlencode 'code={code_received_above}' \
--data-urlencode 'grant_type=authorization_code'

Step 3: Query FHIR Resources Using Token

After receiving an access_token in Step 2, you can now use that Token to query FHIR resources you have the scopes and permissions to access (read-only).
curl --location --request GET '' \
--header 'Authorization: Bearer {access_token_from_above}'
The following resources will typically be available:
  • Patient
  • Subset of Clinical Resources if available (e.g. Encounter, AllergyIntolerance, MedicationRequest, etc.). This varies from payer to payer
Resources will adhere to the following FHIR Implementation Guides:
These non-clinical resources will NOT be shared:
  • ExplanationOfBenefit
  • Coverage
  • Claim
  • ClaimResponse

4. Request Production Access

Once you've successfully tested with our Demo Health Plan sandbox environment following steps above, you will need to do following to request production access:
  1. 1.
    Submit screenshots or a screen recording of your app connecting to our Demo Health Plan environment to cms-prod-access @ [email protected]
  2. 2.
    We will review your information and request and approve or request changes or clarifications
  3. 3.
    Upon approval, your API keys (and redirects uris) will be synced with our CMS health plan customer environments. Note - you may not use a localhost redirect with our PROD environments, but can in our sandbox while testing and developing.

5. Integrate with our P2P Send APIs

Upon completion of steps 1 through 4 above, we will provide you with the payer2payer endpoints for our payer customers. You will follow a similar process as for the sandbox above, just with the specific URLs changing per customer