Authentication

Important: This page is under development by NHS England

Security and authorisation

The FGM-IS FHIR R4 API will be hosted on the NHS England API Platform which will provide the necessary Security and Authorisation.

In order to be able to make API calls into Spine for the FGM-IS FHIR R4 API in a live (or path-to-live) Spine environment, clients first need to go through a digital onboarding process with NHS England.

After completing this onboarding process, the supplier of the calling system will be provided with an ASID (Accredited System ID) to use to identify the calling system in Spine calls. This must be used in all calls into the API.

Passing system and user context into FGM-IS API calls

To support audit and provenance within the Spine, the information about both the calling system and the authenticated user MUST be passed into FGM-IS FHIR R4 API calls. The audit / provenance information needed by the FGM-IS FHIR R4 API is:

ASID (calling system)
Source practitioner (including SDS id)
Role of source practitioner (SDSRoleProfileId / JobRoleCode)

The above will be captured in header parameters on the API calls:

Authorization = Bearer <jwt_token_string>
NHSD-Session-URID = <healthcare worker role ID>

For example, information passed in the form of an OAuth Access (bearer) token - specifically an encoded JSON web token can be found in the Spine Core API spec.