[DRAFT] GP Connect (Patient Facing) Access Record - FHIR API

This guidance is under active development by NHS Digital and content may be added or updated on a regular basis.

Access

This API is user-restricted, meaning an end user must be present and authenticated to use it.

The end user must be:

The API uses OpenID Connect to authenticate the end user and OAuth 2.0 to authorise the calling system. It supports the following security pattern using NHS login:

Gaining access

There are a number of measures in place to control access to the PFS APIs when they are accessed through APIM.

  1. The client application (for example, NHS App) must be registered and assured with NHS login. This allows the client app to use NHS login for patient identity and acquire an ID Token during the login process.
  2. The client application must be registered with the APIM platform.
  3. The client application must be known to and assured by the GP system.
  4. The patient must have a high level verification (P9) on their NHS login account.
  5. The patient must be registered on the GP system they are associated to in PDS (accessed via PDS FHIR API).

Patients are identified in requests to the GP system through an NHS login ID token. Requests to the GP system made through APIM go through a process called Token exchange.

back to top