Getting Started

API Reference

The MSK Blaze API is organized around REST. Each FHIR resource type currently supports read and basic search capabilities.


In order to make use of Blaze, you’ll need to be set up as an MSK “partner” so that you can consume clinical research data. If you would like to request access to data for a research study at MSK, please send a request to

Authentication is based on the Client Credentials grant. This means that clients will need to generate an access token and supply it in the headers of each request being made. Once you are established as a partner, you’ll be given a client_id and a client_secret, which you will use for generating tokens and using them to make authenticated requests to the server.

Generating Tokens

To generate access tokens, partners need to make a POST request to the appropriate endpoint using their client_id and client_secret:

Base URL (Test)

Base URL (Production)

Coming Soon...


POST /auth/oauth/v2/token
Content-Type: application/x-www-form-urlencoded


    "access_token": "7ef1949a-fab1-4600-89ca-fbeb499ef68f",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "oob"

Making Requests

To make requests, include the bearer token you generated in your requests as a part of the Authorization header. Consider the following request for retrieving observations for a research study:


GET /api360/v2/clinical/observations?researchstudy=TEST&category=laboratory&_count=5
-H Authorization: Bearer {access_token}

Response (some attributes omitted for brevity)

    "resourceType": "Bundle",
    "identifier": {
        "system": "",
        "value": "TEST"
    "type": "searchset",
    "total": 20,


All data access is restricted on a per protocol basis. It is assumed that incoming requests to Blaze always contain a researchstudy parameter, which identifies what research study the client is requesting data for.

Your client_id determines what research studies you have access to at MSK. This information is used in combination with the researchstudy parameter to authorize requests. If a partner has sufficient authority to access protocol data, the request will proceed - otherwise they will get an error message.