Authentication

Security, authentication and authorisation

The FGM FHIR R4 API will be hosted on the NHS England API Platform which will provide the necessary Security, Authentication and Authorisation.

In order to be able to make API calls into the FGM FHIR R4 API in a live (or path-to-live) environment, clients first need to go through a digital onboarding process with NHS England.

After completing this onboarding process, the supplier of the calling system will be provided with an API Token to use to identify the calling system in API calls. This must be used in all calls into the API.

User present access

Unattended access

  • Unattended access is NOT a suitable Authentication Authorisation pattern for healthcare applications accessing sensitive data.

System and user context in FGM API calls

To support audit and provenance, the information about both the calling system and the authenticated user MUST be available to the FGM FHIR R4 API application.

  • On calling the FGM FHIR R4 API, with a current access token, representing an authenticated, authorised User, FGM FHIR R4 API SHALL be able to infer Practitioner, PractitionerRole and represented Organization details of the User.

Headers

To call the FGM FHIR R4 API, you need to include the following header in your call:

  • Authorization = Bearer [access token]

See also