[DRAFT] GP Connect (Patient Facing) User Permissions API

This guidance is under active development by NHS Digital and content may be added or updated on a regular basis.

API access

There are three ways an API consumer may access the GP system supplier's APIs. They differ in the identity provider used and the routing to the API:

  1. Use NHS login for identity and route API requests through APIM.
  2. Use NHS login for identity and make API requests directly against the GP system's APIs.
  3. Use another trusted identity provider and make API requests directly against the GP system's APIs.

api-access-approaches

Option 1 (using NHS login and routing requests through APIM) is fully supported by NHS England and is a minimum that must be made available and supported for consumers of the APIs. It provides the following benefits:

  • provides central oversight and standards provided by NHS England
  • provides visibility and metrics to NHS England
  • suppliers can leverage the expertise of NHS England to aid trouble shooting and dealing with security
  • low burden for consumers, no need to know which GP system is being called (as details are handled by NHS England)
  • low burden for GP supplier (only a single origin to be trusted), no need to be open to the world can leverage the third party accreditation process used by NHS login
  • NHS England provides the first line of defence against abuse and misuse, reducing burden on supplier to a minimum

Options 2 and 3 are currently out of scope of this guide and are listed to highlight how consumers and GP supplier systems can interact without the need for NHS England to be involved. Providing alternative mechanisms to access APIs helps to encourage experimentation and innovation.

Token exchange

Token exchange is a process that happens within APIM. The client application (for example, NHS App) includes the patient's NHS login ID token in the request to the API which is proxied through APIM. APIM will use the NHS login ID token to acquire an access token for the GP system which will then be used in subsequent requests by APIM on behalf of the patient to the GP system.

The provider must have an OAuth 2.0 service available to handle the authentication and authorisation requests.

The NHS login ID and APIM access tokens both have a 60 minute validity period. Once a token has expired it can be refreshed using the standard OAuth refresh token flow.

back to top