Register your application in the Cerner code developer portal (code.cerner.com) to obtain a client_id and configure your redirect URIs and SMART scopes.
Retrieve the SMART configuration from {tenant-base-url}/.well-known/smart-configuration to get the authorization and token endpoint URLs for the target tenant.
Perform the SMART on FHIR authorization code flow using the client_id; Cerner supports both patient-facing and provider-facing (EHR launch) flows.
For system access (backend services), use the Cerner system account credentials flow: register a system account, then request tokens using client credentials with a signed JWT.
Use the returned access token to call FHIR R4 endpoints such as {tenant-base-url}/Patient, following Cerner's supported resource list in the CapabilityStatement.
Test against the Cerner open sandbox (open.fhir.cerner.com) which requires no authentication, before moving to an authenticated tenant environment.
Known gotchas
Cerner's open sandbox and authenticated sandboxes use different base URLs and data sets; do not conflate them—the open sandbox has no auth requirement and is not representative of production data access.
Each healthcare organization deploying Cerner Millennium has its own tenant URL and may have customized which FHIR resources and search parameters are enabled; always fetch the CapabilityStatement for the specific tenant.
Cerner enforces strict scope requirements; requesting unsupported or overly broad scopes will result in authorization failure rather than a graceful downgrade.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp