NHS Booking and Referral Standard

Guide v1.8.1 | Core v1.1.5 | Package v1.34.0

Testing and Environments

Environments

The principle environment for development and testing is the INT (integration) environment. This is a like-live environment, harnessing full security and functionality that can expect to be encountered in Production. In addition, the BaRS API specification links to the Sandbox environment, which is capable of demonstrating the key functionality but without the security overhead.

Path-to-Live has full details of all available testing environments and the functionality they offer.

TKW

What is TKW?

TKW - Toolkit Workbench - is a tool to assist development and assurance of supplier solutions to meet BaRS (Booking and Referral Standard) requirements.

The tool supports testing of key high-level workflows e.g. a booking routine, including some of asynchronous ones, but is also capable of inspecting low level technical requirements. It reports the output in Validation Reports which clearly indicates to the reader where and why a test has failed. In addition, it supports consistent error states which are often difficult to create but required for development and assurance.

The BaRS TKW tooling is embedded into the INT environment, encompassing all the same end-to-end BaRS infrastructure that is mirrored in Production, rather than being downloaded and used in isolation. This ensures the same steps to deploy solutions to Production are followed during deployment to INT, and allowing testing of requests/responses to occur under Production-like conditions. Similarly, we're able to incorporate other key components, similar to those used in Production workflows, such as the UserTest Directory of Services (DoS). In the current BaRS Applications, the TKW tool relies on values in the UserTest DoS to elicit particular behavioural responses. The Sender will populate what are termed 'sentinel' values, such as the NHSD-Target-Identifier, with a particular value and TKW will respond with a certain Capability Statement, MessageDefinition etc. (See the 'Scenarios' section for detail).

It is important for Senders to remember TKW is a stateless receiver and is not checking the relationship between requests (except in a handful of stateful scenarios - outlined below). This is important when developing workflows such as linking a booking and referral and transactional Integrity.

Using TKW Portal

Suppliers must register a Portal account to start working with TKW but Senders and Receivers will use the tool in slightly different ways due to the nature of the requests/responses they require. Senders, needing somewhere to send requests and Receivers needing something to make requests of their solution.

During the registration process, the 'Target Identifier' and 'ODS Code' values are important to ensure requests are sent and received appropriately. As a Sender (to TKW), the HTTP Header NHSD-End-User-Organisation must include the ODS Code they registered with because TKW will collate requests based on this value. When reports are downloaded and viewed, only requests with that specific ODS Code in the header will be visible. As a Receiver, once logged into the portal and selecting the request(s) TKW is required to make of your endpoint, they will be directed to the Target Identifier registered against and, equally, downloaded reports will only relate to that specific value.

MAIT-Portal

MAIT-Portal-Home

Sender

Once registered, requests can be made of TKW in any given workflow e.g. booking, validation etc. and the tool will record and provide downloadable validation reports for each request made.

The Scenarios (including Stateful Scenarios) outlined below highlight how to elicit particular behaviour required, note the specific sentinel values for NHSD-Target-Identifier and patient NHS Number. As a Sender, the various requests can be made and TKW will repond accoridngly.

NB: It is important for Senders to remember TKW is a stateless receiver and is not checking the relationship between requests (except in a handful of stateful scenarios - outlined below). This is important when developing workflows such as linking a booking and referral and transactional Integrity.

Receiver

A receiver can access the portal (once registered) to send either individual tests or an entire suite of tests to themselves. From the top menu bar, click 'Receive Requests' and the screen below will present -

The receiver selects the request they wish the TKW to make of their endpoint and clicks 'Execute Selected Tests' (bottom of the page). TKW will indicate when the requests have been processed.

MAIT-Portal-Requests

Once all requested tests have been completed, the Validation Report can be downloaded -

  • from the top menu, select 'Download Reports'
  • then click on the button 'Download Reports' (this packages the report and makes it available to download locally)
  • from the top me, select 'Receiver Reports'
  • click on the hyperlink of the required report to download locally (.zip format)

Scenarios

The TKW will respond to the scenarios outlined below. It does not hold the state of any prior request (unless specified in the Stateful scenarios) and the specific 'sentinel' values (in bold) must be used to elicit the required response where stated.

NB: where 'Any' NHSD-Target-Identifier is specified, only those highlighted in "UserTest DoS Services" table below will work for TKW.

NB: the endpoints for TKW are case sensitive eg use the following /metadata /MessageDefinition /$process-message /Slot /Appointment /ServiceRequest

Headers

The follow is a list of headers needed for the requests, these follow the pattern needed by BARS as follows Headers

Name Value example
X-Request-Id guid 74c2b045-9b7d-4b78-aeee-642f6332e3c9
X-Correlation-Id guid 0598efa7-fff0-4ade-9af8-3f46b4124151
NHSD-Target-Identifier Base64 encoded json varies depending on test (Sentinel Value) else use a value from the "UserTest DoS Services" table below {"system":"https://fhir.nhs.uk/Id/dos-service-id","value":"2000011147"} ( Must be Base64 encoded! )
NHSD-End-User-Organisation Base64 encoded json {"resourceType":"Organization","identifier":[{"value":"WASP","system":"https://fhir.nhs.uk/Id/ods-organization-code"}],"name":"My service provider name"} ( Must be Base64 encoded! )
Example cURL Request

        bash
        curl --location 'https://int.api.service.nhs.uk/booking-and-referral/FHIR/R4/metadata' \
        --header 'X-Request-Id: 99672436-ae1e-42e4-81a6-5a298563ccfa' \
        --header 'X-Correlation-Id: f44f6c3c-fdd5-4c8c-a091-d825eca1d763' \
        --header 'NHSD-Target-Identifier: eyJzeXN0ZW0iOiJodHRwczovL2ZoaXIubmhzLnVrL0lkL2Rvcy1zZXJ2aWNlLWlkIiwidmFsdWUiOiIyMDAwMDcyNDg5In0=' \
        --header 'NHSD-End-User-Organisation: ewogICJyZXNvdXJjZVR5cGUiOiAiT3JnYW5pemF0aW9uIiwKICAiaWRlbnRpZmllciI6IFsKICAgIHsKICAgICAgInZhbHVlIjogIldBU1AiLAogICAgICAic3lzdGVtIjogImh0dHBzOi8vZmhpci5uaHMudWsvSWQvb2RzLW9yZ2FuaXphdGlvbi1jb2RlIgogICAgfQogIF0sCiAgIm5hbWUiOiAiTXkgc2VydmljZSBwcm92aWRlciBuYW1lIgp9' \
        --header 'Authorization: Bearer yourBearerToken'
    


Capability

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
CS for Booking and Referral receiver 111-ED NHSD Target Identifier (HTTP Header) 2000011147 Returns CS for Booking and Referral receiver service
CS for Referral receiver 111-ED, 999-CAS NHSD Target Identifier (HTTP Header) 2000076289 Returns CS for Referral receiver service
CS for Validation sender 999-CAS NHSD Target Identifier (HTTP Header) 1374839566 Returns CS for Validation sender service (accepting interim and full validation responses)
CS for any other receiving service BaRS Core NHSD Target Identifier (HTTP Header) Any (see comment) Any NHSD Target Identifier other than those a predefined response is set for (see above)

MessageDef

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
MD for Booking and Referral receiver 111-ED (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000011147 2000011147 Returns MD for Booking and Referral receiver service
MD for Referral receiver 111-ED, 999-CAS (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000076289 2000076289 Returns MD for Referral receiver service
MD for Validation receiver 999-CAS (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000003366 2000003366 Returns MD for Validation receiver service
MD for Validation sender 999-CAS (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|1374839566 1374839566 Returns MD for Validation sender service (accepting interim and full validation responses)
MD for Out-of-Area CAD Referral receiver CAD-CAD (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000159909 2000159909 Returns MD for Out-of-Area CAD-CAD Referral receiver service
MD for any other receiving service BaRS Core (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000076288 Any (see comment) Any 'context' parameter other than those a predefined response is set for (see above)
MD failed request - HTTP 401 BaRS Core (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|FAIL0401 FAIL0401
MD failed request - HTTP 404 BaRS Core (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|FAIL0404 FAIL0404
MD for invalid MessageDefs BaRS Core (parameter) context=https://fhir.nhs.uk/Id/dos-service-id|2000071898 2000071898 Returns invalid MessageDefintions (includes Invoice resource) for any workflow

Booking

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
Search for free Slots BaRS Core (parameter) start=ge2020-10-31T18%3A45%3A39%2B00&end=le2024-11-04T19%3A00%3A38%2B00&Schedule.actor%3AHealthcareService=2000072489&status=busy%2Cfree 2000072489
Search for free and busy Slots BaRS Core (parameter) as above but with status=busy%2Cfree 2000072489 Must include the parameter 'status=free,busy' or 'status=busy,free'
Return no Slots BaRS Core (parameter) as above but &Schedule.actor%3AHealthcareService=2000073917 2000073917
Return mandatory Slot response BaRS Core (parameter) as above but &Schedule.actor%3AHealthcareService=1503499715 1503499715 This will only include Slot, Schedule and HealthcareService
Slot search failed request - HTTP 408 BaRS Core (parameter) as above but &Schedule.actor%3AHealthcareService=2000081230 2000081230
New booking for verified patient BaRS Core use body from Booking Request New Full replace <value value="9476719931" /> with 9658499007 9658499007 The returned Appointment Id = ce1c4ced-2a84-4198-9982-9caf894d0bb7 in HTTP synchronous response
Get Booking BaRS Core /Appointment use any NHSD Target Identifier as above The returned Appointment Id = ce1c4ced-2a84-4198-9982-9caf894d0bb7
Cancel Booking BaRS Core use body from Booking Request Cancelled The returned Appointment Id = ce1c4ced-2a84-4198-9982-9caf894d0bb7 (assumed cancel is for this appointment)
New booking for a patient with no NHS No. BaRS Core use body from Booking Request New Full remove the whole "Extension-UKCore-NHSNumberVerificationStatus" section blank (no NHS No.) The returned Appointment Id = ce1c4ced-2a84-4198-9982-9caf894d0bb7
New booking failed request - HTTP 404 BaRS Core use body from Booking Request New Full replace <value value="9476719931" /> with 9658499015 9658499015
New booking failed request - HTTP 409 BaRS Core use body from Booking Request New Full replace <value value="9476719931" \/> with 9658499023 9658499023
New booking failed request - HTTP 422 BaRS Core use body from Booking Request New Full replace <value value="9476719931" /> with 9658499031 9658499031
Get booking failed request - HTTP 501 BaRS Core /Appointment/0d440c22-7f25-4c6c-905d-2213d197d02a GET must be for Appointment Id 0d440c22-7f25-4c6c-905d-2213d197d02a

Referral

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
New referral for a verified patient 111-ED, 999-CAS use body from REFREQ01 New Full 111 to ED replace <value value="3478526985" /> with 9658499058 9658499058 The returned Service Request Id = 79120f41-a431-4f08-bcc5-1e67006fcae0
Get Referral 111-ED, 999-CAS /ServiceRequest/79120f41-a431-4f08-bcc5-1e67006fcae0 The returned Service Request Id = 79120f41-a431-4f08-bcc5-1e67006fcae0
Cancel Referral 111-ED, 999-CAS use body from SERVREQ01 The returned Service Request Id = 09b53c07-2a21-4ba5-ac8b-f33e486d794d (assumed revoke is for this Service Request)
New referral for a patient with no NHS No. 111-ED, 999-CAS use body from REFREQ01 New Full 111 to ED remove whole Extension-UKCore-NHSNumberVerificationStatus section The returned Service Request Id = 79120f41-a431-4f08-bcc5-1e67006fcae0
New referral failed request - HTTP 400 111-ED, 999-CAS use body from REFREQ01 New Full 111 to ED replace <value value="3478526985" /> with 9658499066 9658499066 Request must be for a patient with NHS No - 9658499066 and returns 400
New referral failed request - HTTP 500 111-ED, 999-CAS use body from REFREQ01 New Full 111 to ED replace <value value="3478526985" /> with 9658499074 9658499074 Request must be for a patient with NHS No - 9658499074 and returns 500
New referral for Out-of-Area CAD referral CAD-CAD NHSD Target Identifier (HTTP Header) 2000159910 Request will be validated against the Application6 Out-of-Area CAD-CAD use-case
Get Referral - HTTP 405 111-ED, 999-CAS /ServiceRequest/61215702-0049-4d76-9807-2123f0a6ca15 GET must be for ServiceRequest Id 61215702-0049-4d76-9807-2123f0a6ca15 and returns 405
Get Referral - HTTP 429 111-ED, 999-CAS /ServiceRequest/9d280ad9-6dda-46d2-a75e-f5b47b2f4e87 GET must be for ServiceRequest Id 9d280ad9-6dda-46d2-a75e-f5b47b2f4e87 and returns 429
Get Referral - HTTP 503 111-ED, 999-CAS /ServiceRequest/0b42eac3-0175-43c8-bbab-efaa8ca31ccf GET must be for ServiceRequest Id 4d65ddaa-4d09-41cd-87c9-aeb9c0c96352 and returns 503

Validation

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
New validation request 999-CAS use body from VALREQ03 Validation Service Req remove whole Extension-UKCore-NHSNumberVerificationStatus section The validation request will return Service Request id = 0b42eac3-0175-43c8-bbab-efaa8ca31ccf
New validation request 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499082 9658499082 The validation request will return Service Request id = 9e595424-9d67-45db-9a90-03259653cd37 which can be used in subsequent error scenarios 'Get Validation - HTTP 408' (4.6)
New validation request 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499090 9658499090 The validation request will return Service Request id =  c337e8d8-fd5b-4a13-a8e4-0f6f4ac1bb1a which can be used in subsequent error scenarios 'Get Validation - HTTP 501' (4.8)
Get validation request 999-CAS /ServiceRequest/0b42eac3-0175-43c8-bbab-efaa8ca31ccf GET must be for Service Request id = 0b42eac3-0175-43c8-bbab-efaa8ca31ccf
Update validation request 999-CAS use body from VALREQ02 - Validation Service Req The validation request returned will be Service Request id = 0b42eac3-0175-43c8-bbab-efaa8ca31ccf
Cancel validation request 999-CAS use body from VALREQ02 - Validation Service Req
New validation failed request - HTTP 404 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499015 9658499015 Request must be for a patient with NHS No - 9658499015 and returns 404
New validation failed request - HTTP 409 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499112 9658499112 Request must be for a patient with NHS No - 9658499112 and returns 409
New validation failed request - HTTP 422 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499120 9658499120 Request must be for a patient with NHS No - 9658499120 and returns 422
New validation failed request - HTTP 401 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499139 9658499139 Request must be for a patient with NHS No - 9658499139 and returns 401
Get Validation - HTTP 408 999-CAS /ServiceRequest/0b42eac3-0175-43c8-bbab-efaa8ca31ccf GET must be for Service Request id = 0b42eac3-0175-43c8-bbab-efaa8ca31ccf and returns 408
Get Validation - HTTP 501 999-CAS /ServiceRequest/c337e8d8-fd5b-4a13-a8e4-0f6f4ac1bb1a GET must be for Service Request id = c337e8d8-fd5b-4a13-a8e4-0f6f4ac1bb1a and returns 501

Response

Test BaRS Application Sentinel Element / Hints Sentinel Value Comment
Full Validation Response 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499147 9658499147 Trigger a Validation response for full validation
Interim validation response 999-CAS use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499155 9658499155 Trigger a Validation response for interim validation
Safeguarding DNA Response 111-ED use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499163 9658499163 Accept a Response flow for failed Safeguarding
Safeguarding DNA Response - HTTP 401 111-ED use body from VALREQ03 Validation Service Req replace <value value="3478526985" /> with 9658499171 9658499171 Accept a Response flow for failed Safeguarding and returns a 401

UserTest DoS Services

The sentinel values linked to UserTest DoS services can be found by searching with the following criteria.

ServiceId Service Name PostCode Pathway Comment
2000072489 TESTING ONLY BaRS Test Service (TKW) LS1 4AP NoseBleed without Injury A catch-all service supporting multiple workflows. Pathways answers to obtain outcome (No, Yes, No, Yes)
2000073917 TESTING ONLY BaRS Test Service (TKW 2) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
1503499715 TESTING ONLY BaRS Test Service (TKW 3) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000081230 TESTING ONLY BaRS Test Service (TKW 4) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000093816 TESTING ONLY BaRS Test Service (TKW 5) LS1 4AP NoseBleed without Injury Digital Referral Roles Only. Pathways answers to obtain outcome (No, Yes, No, Yes)
1374839566 TESTING ONLY BaRS Test Service (TKW 6) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000011147 TESTING ONLY BaRS Test Service (TKW 7) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000076289 TESTING ONLY BaRS Test Service (TKW 8) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000003366 TESTING ONLY BaRS Test Service (TKW 9) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000071898 TESTING ONLY BaRS Test Service (TKW 12) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000159909 TESTING ONLY BaRS Test Service (TKW 13) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)
2000159910 TESTING ONLY BaRS Test Service (TKW 14) LS1 4AP NoseBleed without Injury Pathways answers to obtain outcome (No, Yes, No, Yes)

INT Test Patient (traceable on SPINE)

The patient.Identifier sentinel values used to trigger Scenarios in TKW can be found on the INT Spine. The full patient details are outlined below.

Surname Forename DoB NHS No Sex Postcode
DYBALL Adrian 29/10/1932 9658499007 M DN17 4LR
FOWLER Frank 07/06/1921 9658499015 M DN17 1HJ
SWAIN Dudley 03/10/1931 9658499023 M DN19 7EQ
WEBBER Jeremy 19/12/1934 9658499031 M DN16 3JH
MURRY Josiah 10/08/1918 9658499058 M DN8 5SP
MARSH Irving 15/06/1937 9658499066 M DN17 2QU
POVAH Horton 15/07/1938 9658499074 M DN17 1UU
McCANN Levi 08/07/1934 9658499082 M DN16 2LH
DRIVER Claude 29/04/1934 9658499090 M DN18 6BW
LYMER Peter 07/09/1948 9658499104 M DN16 1SA
TAFT Daphne 16/03/1919 9658499112 F DN16 2QY
MCGURK Verena 28/03/1940 9658499120 F DN17 2NB
GILROY Ellice 24/02/1929 9658499139 F DN20 8PT
COOK Violet 07/02/1918 9658499147 F DN20 0JH
COYNE Joyce 22/01/1933 9658499155 F DN17 1TR
LUMAS Hariot 23/04/1948 9658499163 F DN15 7QQ
BONNEY Lynda 21/03/1949 9658499171 F DN17 1XR

Stateful Scenarios

TKW supports a limited stateful response for 111 to ED requests. This is a simulation of the real-world receiving end-point and mimics the expected behaviour of a Reciever solution.

This stateful behaviour is only demonstrated for a specific patient (NHS Number 9707606312) and per NHSD-End-User-Organisation - i.e. state will be persisted only between requests made by the same End User Organisation.

Note The stateful server will reset each night which will return all users back to the initial state.

State Transition Table indicating the responses the stateful TKW scenarios will support and the expected responses-

Event Initial State Appointment Booked State Referral Created State
Make a Booking Http 200 Http 409 (Booking already exists) Http 409 (Booking already exists)
Cancel a Booking Http 400 (The booking this request relates to does not exist) Http 200 Http 200
Create Linked Referral Request Http 400 (The booking this request relates to does not exist) Http 200 Http 409 (Referral  already exists)
Create Mis-linked Referral Request Http 400 (The booking this request relates to does not exist) Http 409 (Referral  is not linked to the correct booking) Http 409 (Referral  already exists)
Cancel Referral Request Http 400 (The booking this request relates to does not exist) Http 400 (No Referral - The referral this request relates to does not exist) Http 200

Onboarding

API-M provide the security model for BaRS.

There are two roles; Sender and Receiver, and most BaRS Applications will require a solution to support both, despite being predominantly one or the other, because of the response workflow steps. In responses flows, the original Sender becomes and Receiver and original Receiver becomes a Sender.

The Sender obtains a token from the API-M platform to make requests of the BaRS API Proxy which brokers the request through the Receiver, secure via TLS-MA (Transport Layer Security-Mutual Authentication).

BaRS is based on internet-first principles and there is no requirement for Health and Social Care Network (HSCN) connectivity.

Sender

Prerequiste steps to follow -

Onboarding Dev Account

Onboarding Dev Account Title

  • Assign members to your Team
  • Create an App
    • Owner of the App should be the Team created above
    • You will need a callback URL (bottom of page)
    • Enable or request the API's you wish to use for your application
      • "Booking and Referral FHIR API (Sandbox Environment)" - for Sandbox
      • "Booking and Referral FHIR API (Integration Testing Environment)" - for INT
    • Generate an API Key for your application
  • Define your Key Identifier (KID) to be used within your JWTs
    • KID Naming Convention (Development Systems) - <Supplier>-<Environment>-<rotation> i.e. MySupplier-INT-1
    • KID Naming Convention (Provider Systems) - <Provider>-<Environment>-<rotation> i.e. Provider-INT-1
  • Generate a key pair (.pem)
  • Provide details to register your key
    • For INT : Register Public key with API Management
      • Email - api.management@nhs.net with:
        • Environment - Sandbox, Development, Integration Test or Production
        • App ID and Name from the portal
        • Public key
          • As an attachment, PEM-Encoded
        • The KID you have defined for this public key
        • APIs you want to use
    • For Production (each provider needs their own key).
      • Email -
        • Specify Live
        • App ID and Name from the portal for both Production and the INT Suppliers Development environment.
        • Public key for the providers Production instance.
          • As an attachment, PEM-Encoded.
        • The KID defined for this public key.
        • The APIs you want to use.
  • Generate a signed JWT using your private key
    • The header:

      • alg: The algorithm used
      • typ: "JWT" in this instance
      • kid: Your KID as provided to API Management above
      • example:
              {
                  "alg":"RS512"
                  "typ":"JWT"
                  "kid":"BaRS-Sandbox-1"
              }
      
      
    • The payload:

      • iss: The API Key you generated in the portal
      • sub: The API Key you generated in the portal
      • aud: The full URL of the endpoint you are calling (example: https://sandbox.api.service.nhs.uk/oauth2/token )
      • jti: UUID/GUID, different for each request
      • exp: Epoch time, to be no more than 5 minutes in the future, indicating when your token will expire
      • example:
              {
                  "iss":"IwrOdg62kM9LN1oFhlHAhWPHAhWPbV62",
                  "sub":"IwrOdg62kM9LN1oFhlHAhWPHAhWPbV62",
                  "kid":"BaRS-Sandbox-1",
                  "aud":"https://sandbox.api.service.nhs.uk/oauth2/token",
                  "jti":"b7ae4c12-3c04-465a-8877-c2e80f0126a3"
                  "exp":"1635263528"
              }
      
      
    • Post your JWT to the OAuth endpoint to receive a Token

      • Note: A token is not required for the Sandbox environment

      • Your request body should be x-www-form-urlencoded with the following fields

        • grant_typegrant_type = "client_credentials"
        • client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
        • client_assertion = <Your signed JWT>
        • example:
            curl --location --request POST 'https://sandbox.api.service.nhs.uk/oauth2/token' \
            --header 'Content-Type: application/x-www-form-urlencoded' \
            --data-urlencode 'grant_type=client_credentials' \
            --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
            --data-urlencode 'client_assertion=eyJ0eXAiOiJKV1QiLCJraWQiOiJCYVJTLVNhbmRib3gtMSIsImFsZyI6IlJTNTEyIn0.
            eyJpc3MiOiJJd3JPZGc2MmtNOUxOMW9GaGw4UnlVUmJIQWhXUFY2MiIsInN1YiI6Ikl3ck9kZzYya005TE4xb0ZobDhSeVVSYkhBaFdQVjYyIiwia2lkIjoiQmFSUy1TYW5kYm94LTEiLCJhdWQiOiJodHRwczovL3NhbmRib3guYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiIsImp0aSI6IlQtWjdhTm1UODUybE1uVGtZb1NaRiIsImlhdCI6MTYzNTI2MjI2MiwibmJmIjoxNjM1MjYyMjYyLCJleHAiOjE2MzUyNjI1NjZ9.aUQSqvkzjAMRR21lNiE6YnksynPWx9wkXdEFJZ_muzGfeyuS3ooh-uXlOccQFSDS790Wrne49vMsf72NILK3iDjWyH2z8D8R_B_xYy2e3ZOktqQFNx5vZ0svC-_v1ranJKJJU8NiQog7JvRtXNwKcdExpge2bkhV2JN3bQtzPY0F7CxPohILmCIUvi3yEyr-nm3kxdB8LkifQAz132qpuO_1iENGmbqUgASYBZMTQIdD4aO8Vv9sJ9rvyIQyniw_DeY6SEMx4CHDiEb0NWmcOmpdBS1DDkuMiUohSpz8OXEYR1cZcL27dyibDJBY57FGCMBn1AVb43olYSumOIwg'
        
        
    • The expected success response from the Post should be a status 200 with a 3 field JSON response:

      • access_token: Your access token
      • expires_in: When it expires
      • token_type: "Bearer"
      • issued_at: Time issued
      • example:
              {
                  'access_token': 'Sr5PGv19wTEHJdDr2wx2f7IGd0cw',
                  'expires_in': '599',
                  'token_type': 'Bearer'
                  'issued_at': '1675784384503'
              }
      
      
    • A failure response will have a response code appropriate for the reason and the following 3 fields:

      • error: The error thrown
      • error_description: Diagnostics text to tell you why the error was thrown
      • message_id: A unique id for the interaction
      • example:
              {
                  "error": "public_key error",
                  "error_description": "You need to register a public key to use this authentication method - please contact support to configure",
                  "message_id": "rrt-8923968319386160140-b-geu2-23765-558685-1"
              }
      
      

Receiver

BaRS will utilise TLS-MA to communicate with Receiving endpoints. Receiving endpoints will require a certificate under the NHS Root CA to facilitate TLS-MA.

  • The receiver must request a certificate under the NHS Root CA
  • The receiving endpoint will present the certificate obtained for TLS-MA
  • The receiving endpoint will need to trust the Root CAs and SubCAs for their respective environments
  • The receiving endpoint will only accept requests presented with certificates from their respective chains

As the certificates are using the NHS Root CA, FQDN must be an nhs.uk address, this is the case for both INT and Prod

You can apply for your domain here, ensuring that you complete Section 5: For website or application records visible on public internet

Once you have you have your domain registered you can then begin the process to obtain your certificate by generating a certificate request

Certificate requests will need to be signed for your endpoint. Note that the fully qualified domain (FQDN) name is equal to the certificate name (CN) by convention

At this point you should have a .key and a .csr files. The next step will be to send the .csr file to be signed by the NHS and get the client certificate. For full steps see below sections for each environment under 'Configuring endpoints for different environments'

  • If your client certificate will be implemented in any PTL environment then you should send the .csr file to itoc.supportdesk@nhs.net
  • If your client certificate will be implemented in the PROD environment then the .csr file needs to be sent to the DIR team at dir@nhs.net and they will issue the certificate after validating your request with the Live Services Pipeline at liveservices.gate@nhs.net

Integration (INT)

  • Request a ‘certificate only’ from ITOC
    • Onboarding FORM
    • Certificate Only (No endpoint)
    • Integration environment
    • Format for development systems FQDN on INT is ‘BaRS-INT-<ODS Code>.<Supplier name>.thirdparty.nhs.uk
    • Format for provider systems FQDN on INT is ‘BaRS-INT-<ODS Code>.<Provider name>.nhs.uk
    • Ensure it is clear this is a request for a ‘BaRS’ certificate
    • ‘N/A’ in the Party Key section because there is no relation to SDS endpoints
    • In the .csr, the ‘email’ field must be blank
  • Receive certificate from ITOC
  • Email dnsteam@nhs.net with FQDN and public facing IP to register DNS
  • Email bookingandreferralstandard@nhs.net with Receiver URL for BaRS/API-M to add to the Endpoint Catalogue

Production (Prod)

  • Once Solution Assurance issue the supplier with the Technical Conformance certificate Production endpoints can be requested
  • Sends .csr to dir@nhs.net, indicating this is for a BaRS Receiver endpoint
    • Format for FQDN on PROD for -
      • Supplier hosted solutions is ‘BaRS-PROD-<ODS Code>.<Supplier name>.thirdparty.nhs.uk
        • This option is used for multi-tenanted solutions.
      • Service Provider hosted solutions is ‘BaRS-PROD-<ODS Code>.<Provider name>.nhs.uk
        • This option is used for non multi-tenanted solutions. If multiple endpoints are needed, the ODS code can be appended with an identifier for the setting.
        • It may be that the provider already has a 'nhs.uk' standard domain DNS entry, If one exists, it should be used for this new subdomain.
  • Receive certificate from DIR Team
  • Email dnsteam@nhs.net with FQDN and public facing IP to register DNS
  • Email bookingandreferralstandard@nhs.net with Receiver URL for BaRS/API-M to add to the Endpoint Catalogue

Note - Receiver Firewall Amendments - Requests from the BaRS API Proxy will originate from INT on 35.197.254.55 & 35.246.55.143 and PROD on 34.89.0.111 & 34.89.69.6

Certificates

Introduction

The BaRS API and supplier solution will be secured by HTTPS/TLS, for both inbound and outbound connections. All certificates used are published on this website for your convenience.

In order to establish a connection to and from any environment, a chain of trust must be set up using the certificates detailed below.

For information on obtaining certificates as a Receiver see the Onboarding section.

Inbound

All inbound connections to the BaRS API will be presented with environment specific certificate, provided by Digicert. This is inline with all NHS APIs on the platform. The details for the certificate and chain used are described in the table below.

Certificate CN Thumbprint Parent CN Parent Thumbprint Environment
dev.api.service.nhs.uk 8c41b2d0080ff4f83ef4164078d17bab5ed53cbb DigiCert TLS RSA SHA256 2020 CA1 1c58a3a8518e8759bf075b76b750d4f2df264fcd Sandbox
int.api.service.nhs.uk 634680dfafcf3a6e229741ae7ad5b98dbe70d822 DigiCert TLS RSA SHA256 2020 CA1 1c58a3a8518e8759bf075b76b750d4f2df264fcd INT
api.service.nhs.uk 2673f9045ba6f8ff8b7b82a9046f9b599af27cab DigiCert TLS RSA SHA256 2020 CA1 1c58a3a8518e8759bf075b76b750d4f2df264fcd Prod
DigiCert TLS RSA SHA256 2020 CA1 1c58a3a8518e8759bf075b76b750d4f2df264fcd DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 All
DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 N/A N/A All

dev.api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIH7zCCBtegAwIBAgIQCd1RZTdgwjlx2LOoB8pNHTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA2MjkwMDAwMDBa
Fw0yMzA2MjkyMzU5NTlaMFQxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxHzAdBgNVBAMTFmRldi5hcGkuc2VydmljZS5u
aHMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChdhQee1KNW6C/
qUzRfgwLzxdXcLMusYrCR+dkiJiyVTy2JAP9iDwOqsJWeaxzXzXoPM+3ahq2m7c6
CgAhuk8XHo3vhRfJzLehbQtzAgnz5YDevpI74gj2V/Wd7/QGu8Cgh9AoCtO5gfh8
byju/V9eJArHxCE6huduBTp59y8Dth/VGWiDaOgYDauBOkSKdxVmPl1qZOv7cN/p
wD4TyZxs0CrqUrkRT4WfvABrOaG7jLbeKKhVfMYXSJhPs1g7STJaOzvrRAwt1O83
q4Objc3/oPnbbN1AyXlVyHI2exkxmNllYHRMogQMSFOpdj/g+zibw7tPpKDE49Xx
YFtfGOUHusb2Fj7kYh7bevdOibrmzG+zT1l29VNzaYp0sFMSrHaCBVZ6Rw/q3BHV
vRXfb+zpiSpmUG67FULKWQRCSKEBw7pfD1+cg8050PT+JnnhONjwzbwJMZjiibV7
f0JGP0G2JX1sRSad+EBHPYd1is0SESFhfrkSm5pQxgTkxGFKhBC0fm3LSP6qhelz
z1YIKupi66wC74dnV/YJkxOQ38r3uH0WTiZ8SL2Zd3Gd+1DPWXydvjfH94yQpOHj
ihRhHlkn+uRynOBqcCTsZ+9xyOjAQ3AicSLAsK9V+YxK+mO1IatgnmafLGNWYAsK
YpGS+BsOnS6Znecv9lFPcWWdTQsUpwIDAQABo4IDwDCCA7wwHwYDVR0jBBgwFoAU
t2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFMa79aKSfMUaT2POYUTKkpfF
mocAMG0GA1UdEQRmMGSCFmRldi5hcGkuc2VydmljZS5uaHMudWuCFnJlZi5hcGku
c2VydmljZS5uaHMudWuCGnNhbmRib3guYXBpLnNlcnZpY2UubmhzLnVrghZkZXAu
YXBpLnNlcnZpY2UubmhzLnVrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNy
bDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNB
U0hBMjU2MjAyMENBMS00LmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsG
AQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfwYIKwYBBQUHAQEE
czBxMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSQYIKwYB
BQUHMAKGPWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JT
QVNIQTI1NjIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAXwGCisGAQQB1nkCBAIE
ggFsBIIBaAFmAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGB
r8Mt1gAABAMARzBFAiEA3y5VxP+JXtBoJdaQUf+DvWzfq7hfm7tSrKpDxLzr3LsC
ID8AtMzjnVttILxLmAZFmr/Xq2tEM7ubqJprZjqmZtxBAHUANc8ZG7+xbFe/D61M
bULLu7YnICZR6j/hKu+oA8M71kwAAAGBr8MtNwAABAMARjBEAiAhvkbK+nr8p1+s
fTqfrslKaI0K5prTdt65yHRdhJdtdAIgKlEWGUSlCH7AwfQJ04Xxo1o+rJ1nyl8Y
bD17Fmee4I0AdQCzc3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAYGv
wy1YAAAEAwBGMEQCIBoJtWDLt+0gBNbbW+73bJtYnD2/eLGF+ASZO9NjrgdcAiBx
UChWKBEH5ndm9j2MfiDfhb8CIkMDxYwl7cNU+owJhDANBgkqhkiG9w0BAQsFAAOC
AQEAm/i6ZvIf03/3YgF9dWoSygDDuziv5u5CQu6Vn9ojHPN6y+zzF8V6fyrgjo2q
+BILKe5AkhCak/YmBEKN4PcoLerCFmBS5F2GaJ0fYx4+BevaeauewMmXq3WrduAp
QwmVtvBfY4MdvFTZ1afLxPbBoMduwjI/7F8Vsq9yPWdwSlkEXCb5v8mCcWqIOr6F
mntXmZoNig+cWTWebyX3B/dVnYezQqcd2clM5yb3Tz/C4YPa/pHrXP4Uekskh9wm
LrKCzc961OVITemj0KA6xkbeVNnXjRjyKiZS//iDRugZJf3yh5oTON9fqoVgV+bd
9UWHkyVsonT2QQWayu4R2mb30g==
-----END CERTIFICATE-----

int.api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIHpjCCBo6gAwIBAgIQCbufxB/0/HfjHDnytP71fTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDcwMDAwMDBa
Fw0yMzA0MDcyMzU5NTlaMFQxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxHzAdBgNVBAMTFmludC5hcGkuc2VydmljZS5u
aHMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4JPKFpz/Rl8QC
tMERVDSLXehOKlzBg7V5tsFerUwMAvKSZwfd9gRDWnH+QarjypoKM6VkH+hv6NsU
ApWHngeO6BOstltMaIVXZ4GRfKD3iaJCA3WO2qaixjXjZDhWTCLrCnmUYnkpf3Sp
f8aIzLS9LMfLn84Xa0VvOtGTYN9/Cf6zPdfhI6Qy3qRJote8w73lWxs4SZ8ObFya
9c+OEb7gnZfhg0kgQFM6qwYPAqAuNHt47Sd/TLySQ186j2ItoFfRih2pMfEDw1a9
2HQTpYZDCrUCqkMyKacZAlf66LEOKnqAaqn+VxKGJa9wZghJP/ZrkSJ11jfnBBzN
IhUV5KGyTC2xjaHj3jXD8rzwRyNafHfQX1YYM4572+0LbXs+ZKrX0HXj34W765o7
PAUjJk4Ih52r7fFpch4hYkpyGfoN+riMxbBmSRelAbLXHOdi6LvsXGdxPtRQwlYa
zsjOD1+lhOFLtLXZplViNyKEGh1J5UVeL0OZuMW9b9x8Ug6/DPBVcoZ0UmnyUVr/
pgjRKF/zU67LWR0Vqzq9OUdTNLImEfMLsfKx2ytO/kSk9PB8Ifp0E5tz6j17kNeh
Q3TjR++e1AUrOq2DrqwzpH8QIfIIiEfsd/Y267YfWmPPwo6A6h7HqSH9BQuJihme
GO/aVQLpUUzZn/tbtuIFffvE8EovEwIDAQABo4IDdzCCA3MwHwYDVR0jBBgwFoAU
t2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFMxc1yJdMXn5cMQY/y/eYQIp
7zm+MCEGA1UdEQQaMBiCFmludC5hcGkuc2VydmljZS5uaHMudWswDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNS
U0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMD4GA1UdIAQ3
MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
Y29tL0NQUzB/BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAJBgNVHRME
AjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgDoPtDaPvUGNTLnVyi8iWvJ
A9PL0RFr7Otp4Xd9bQa9bgAAAX9kHjD2AAAEAwBHMEUCIGtBH7mnWeRxvFLZN2E5
Q/9lrFm4Xhjcj9Zi9L9ThlzRAiEAulA+1XiMw6M5M23M/FB55fcvbIosAkQUAkuy
1yeaPv0AdgA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX9kHjEd
AAAEAwBHMEUCIQDgRdzMBcsF6fI25ieut74nDBF0CMeI/3aXZKppdT6sdwIgU3Sy
90+7k1dyBUCGXqTJgodgkYLDaYNEvAQ+NmnA4nEAdwCzc3cH4YRQ+GOG1gWp3BEJ
SnktsWcMC4fc8AMOeTalmgAAAX9kHjFDAAAEAwBIMEYCIQC9aCfRJ6cPGwty3FP1
BAw3RRXQYr2Su4Xk+boJyNGe6gIhAIwV8BftA2Ee6dvSAhhtfOz5eddHy/am+lfJ
UYrw9j3jMA0GCSqGSIb3DQEBCwUAA4IBAQAMOtj25/qQDCzg1ceaZnWiORgyYpbh
ZGlR2jI9ujWPzbl/7SmUpFS6SnXaOh6L45NAR7Ld7Fhuqf34rgSobc5/cVaLMq5v
QduAlYq9aO5xG32TNsWQRXMFG9WFFg7HD00p8DMkF/cxXFACsCAwt1dGNbwbgAEj
+qn/TDymJ85HzQfcpTkQXvB7571DpDBvxPkYMxkzQtgb5Wz+VVyi2LL5J3AqOSWV
KKigsYqVwEiNTzgInknUmDHJN2igFUfpsPqVB41Xy8dc5SNTStbWsWLXA/0aHleK
D1TONGVLMXdZh3uFto9Q/E1kXw6LYKO9MUYnGweyFm7ipWERPzjE/w3N
-----END CERTIFICATE-----

api.service.nhs.uk (Digicert)

-----BEGIN CERTIFICATE-----
MIIHtDCCBpygAwIBAgIQCo1zwR1XPV9LCf6wELDvIzANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDcwMDAwMDBa
Fw0yMzA0MDcyMzU5NTlaMFAxCzAJBgNVBAYTAkdCMQ4wDAYDVQQHEwVMZWVkczEU
MBIGA1UEChMLTkhTIERpZ2l0YWwxGzAZBgNVBAMTEmFwaS5zZXJ2aWNlLm5ocy51
azCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5Giwu+wLvQlcWJGZnV
5sswmYiknViv84orFv38P+9GLNXC48wMgJPu3rtuZsTe5JdtaVRPflXK4rxfuIUd
ybfbDmW4zeUn5Yj2ZdkoZMqLlLX7D9H04wl2Aw/C0OP+pMq3Ear6KuCA8Y9kF+zF
KcR1foUvc4Fw2LxkWal10S2lzPLTbN4f2pZjT3JT1HMobRDQKt4kG/XDGbpkox/9
xQSNHdLYemenKVFQLGt+EVc51NTfMHFg8KXR/T0gvs0e0r/IOZZxl1+NEXkIvnQQ
fYJQB+LeMgpuMK1dj8xBnHnmsO3B8vvwJDycrSq50BfvXZpARUDhAiy2n+WWoM+s
hKmuojkDmnBEVtq78eDDF40vMahzpDhgSHhzM5pdpIvnofXGO4IkzLrNKTGlIXl8
2PERRM7zScuAWl5P6OWX7ygN8uoUh+NdDoiWsbQxZrTTO7kFgIbiheEMzMH28Myi
BWN9/LvRYpqWSSW7R4/NNfd8M62ER36xWetYk/IHdSXfBbfg1hJQMK+QZrA+Io8T
QABhTc0eBxlctOYCsKeXkhOBNTokED8DwQSG8f+LN2tA48cX+HrSRZ0gYA4X6vbl
TpdlmxbqXjQeTCrG65qmh3gffPNzZc+Ck2qL4SVlHBLw2LowagmjVvyWnfP8o0dH
LIic/3Tbx5hzUGsX4OHiM55ZAgMBAAGjggOJMIIDhTAfBgNVHSMEGDAWgBS3a6Lq
qKqEjHnqtNoPmLLFlXa59DAdBgNVHQ4EFgQU6lxJ78pLAnSpbhbSmCSt+zZgPvow
NgYDVR0RBC8wLYISYXBpLnNlcnZpY2UubmhzLnVrghdwb3J0YWwuZGV2ZWxvcGVy
Lm5ocy51azAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0
dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBD
QTEtNC5jcmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0
cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIw
Q0ExLTEuY3J0MAkGA1UdEwQCMAAwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABf2QbUbgAAAQDAEYw
RAIgQ8/ac+so1XceqvA6MPcVg1uN4XobN1UKdhkbtPyCUCMCIFkXRGBI+H7pjyHR
qiRQjt2EUusUs5U+L9TqK807fkivAHUANc8ZG7+xbFe/D61MbULLu7YnICZR6j/h
Ku+oA8M71kwAAAF/ZBtRrQAABAMARjBEAiB2Efj+Xq7BsWTU6E+FfMQ0CXis2aSt
CpTqcpnnc5+GlgIgXJxSXIQ9N2dhiqcAtDEQmZzZUZLh+nK/JjHAq2MShVsAdgCz
c3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAX9kG1HcAAAEAwBHMEUC
IBLnTvDSHa4jE24pDTqMpvemVyA5n6+7laNwI4DKN128AiEA1UyzaSEpGulrYeJ0
0ht+Y6PxJSDbqOAGQdHQfSKwJo4wDQYJKoZIhvcNAQELBQADggEBAFlPTQfhMH/i
xhBxX6MqEo/LaRWsbJWeP1ncKph3M/UvFXJdHeTHoZlUWTyispY+81DRwzC0pFhr
UL0OxspiPcW3MI4hMzaFOOzEYr6n2Cpqm36e+Z3hM78a8AO3rMtSjnYStkl9jNfU
6aGHiuUxPkl95BxMkIO156UQpyVrRuVQ/WCQrJgo3R+C9QK+VTh91JUyyGf6NluM
iRWLy2pTVHUX+7nBWVFR7ACgdwij2utwIDtzyOjynR3KmLE8UWVIu0I1NLwpMnRc
47nIWuRFvU/obcmfqZk8LiQMwoOKoG6GEfF2/32i9o6ucmvhJwnpNbqOlne8kv4D
ysWdIG7hl3g=
-----END CERTIFICATE-----

Outbound

All outbound connections from the BaRS API proxy to Receivers, with the exception of the Sandbox environment, will be secured using TLS-MA.

PTL

The PTL environments will present a certificate issued by the NHS PTL Root Authority, as the RootCA. This does not include the Sandbox environment.

Details of the certificate chain described in the table below can be found in the How to Connect Guidance.

Certificate CN Thumbprint Parent CN Parent Thumbprint Environment
int.api.service.nhs.uk ce7808839f72ea8ed4548b4de37546bed5d6dc9f NHS INT Level 1C 5007daf3aeea1c1360ec0d1e9e5bedccc7182b79 PTL
NHS INT Level 1C 5007daf3aeea1c1360ec0d1e9e5bedccc7182b79 NHS PTL Root Authority 6287fa6e10a7dd90e62556f7c2814a6abf04590c PTL
NHS PTL Root Authority 6287fa6e10a7dd90e62556f7c2814a6abf04590c N/A N/A PTL

int.api.service.nhs.uk (NHS PTL Root)

-----BEGIN CERTIFICATE-----
MIIE2jCCA8KgAwIBAgIEXcnbeTANBgkqhkiG9w0BAQsFADA2MQwwCgYDVQQKEwNu
aHMxCzAJBgNVBAsTAkNBMRkwFwYDVQQDExBOSFMgSU5UIExldmVsIDFDMB4XDTIx
MTAyMjA3MjUzNloXDTI0MTAyMjA3NTUzNlowQTEMMAoGA1UEChMDbmhzMRAwDgYD
VQQLEwdEZXZpY2VzMR8wHQYDVQQDExZpbnQuYXBpLnNlcnZpY2UubmhzLnVrMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwMXSm2iNiR4xxX1AYVDWkviT
rEjidc91Ypcg5BbK3hEIgx7tPsKleef87TCj/7Io6XxV95VyIVhv9mw0m2VYtd7+
o9aAXDxsagmGWI3WSPp4UnS99jrC1jKyoEw7yLlXK0spoJ8i7+nZDpcytmKEX5wb
O6I5+QW2fNA3/sCwUXbEfpZsyURa+plZGR9qWpTnLxFRkTb5zxasGS5MrBBsX3ZP
uEmU1qDcNQlwm59NXVQPfC07X/POd8/sHXFGdB0BhtSOTYeCAOa/IlE+sX1hdTyt
g1u8sRmOc2LPh5H5MN75A7oJuLbapWz+BvmUAAl3n+8pIUT2wpk/CjSUIQhWJRG0
W7RwnGiT3PF8ZTuY4xTT0EaZEDc/BEvo063xTY7Nnr770WaQAeDwVkdyDpMOkJh/
/aVN3uIjituTPhOzIbBYyXEFc59IJZAlWFMaFWMN5wo7JXhWhWLcxXU//bSMjU+K
e0yKHHpPdsVgwBV7mp4Pd6/PhrzCxhaGp5f3a0rn/+gmwuJCfjvcuV3twZBkmCdw
lpyjxQn/ZzJt2CuNAJRAW5J2FogpDxBxSk7NZnf255KaNUYEMF68Ff12RhuX7mmO
eIrpUwStZF8wfNv9suLPk9oWqt4DjAzdxgs5URRnkJbAGEv7je55A6mZxUJdfe1+
PKnqUy0tx7MuHUT/ZdsCAwEAAaOB5DCB4TALBgNVHQ8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMBgGA1UdIAQRMA8wDQYLKoY6AIl7ZQADAQEw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5uaHMudWsvaW50LzFjL2NybGM3
LmNybDAfBgNVHSMEGDAWgBQABoJtq6YSQ+22DfTmPMQgwWGboDAdBgNVHQ4EFgQU
a1IdNWkENZuJ6oVZbX3tvyJUmX8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAK
GwRWOC4zAwIEsDANBgkqhkiG9w0BAQsFAAOCAQEAM1vfrfUhzRfMsNprGI5qQE99
eRLGXsvWY45eWJKMcCvw4VBFbcABMxACfuO/arIQvYrkzpBpnF8fMu5tiwi+PgIQ
k7xIf2l7UsIM+f13gj+YDHsQaRF5MO3ywFC56/ybGEMI+pp6Co0pKvbXQtk14rRR
213tWOxoV9W/keEHiNZTOM54EbAzXwvsVjvIwyxxwDGNbhsLKfCYPLgHpExFMSFF
08fEKUAbPiLUUBIQpLtSGv/Sn/SAk1wh0nG2UXcjTGIX0ZNhT8DyYNonjg9kQ6J8
8g6Nu/awWRl7a6Kf9mWsxaspCGHYi5Q10tXSZdDuBzAkQJ0MZS3DZ7/mb+ISvQ==
-----END CERTIFICATE-----

Prod

The production environment will present a certificate issued by the NHS Root Authority, as the RootCA.

Details of the certificate chain described in the table below can be found in the How to Connect Guidance

Certificate CN Thumbprint Parent CN Parent Thumbprint Environment
bars-proxy.spineservices.nhs.uk 57c911af253c2f8c362654f78f13e73051eeede3 NHS Level 1C da3cf9d13a705704f2cba274c79794963c36ff94 Prod
NHS Level 1C da3cf9d13a705704f2cba274c79794963c36ff94 NHS Root Authority ec7a3b3cb795ece956c5a7bec4204a298feb236c Prod
NHS Root Authority ec7a3b3cb795ece956c5a7bec4204a298feb236c N/A N/A Prod
-----BEGIN CERTIFICATE-----
MIIEEjCCAvqgAwIBAgIEYQ6SIzANBgkqhkiG9w0BAQsFADAyMQwwCgYDVQQKDANu
aHMxCzAJBgNVBAsMAkNBMRUwEwYDVQQDDAxOSFMgTGV2ZWwgMUMwHhcNMjIxMjEy
MTU1NjI1WhcNMjQwNjA0MTEyODMxWjBKMQwwCgYDVQQKDANuaHMxEDAOBgNVBAsM
B0RldmljZXMxKDAmBgNVBAMMH2JhcnMtcHJveHkuc3BpbmVzZXJ2aWNlcy5uaHMu
dWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+3ACj/4ijhnV9F4V9
Encu1ulski0sK36XX8etuwqRbpzW6dpRmACUE001zSp0Fg6kaW1OE13kfMNJzTgy
cjjL7FnQLG0UAuK7ghTKp/I7SvqwNkCCPVnMm+s1wfzBKQGbWRhsgiUy/jKizgTz
163BHoB8WzGPDwV0K+9nmf3tBiqi+dB1UWtBOZc9mUgqt9+Hy54pjX/aYVL//L04
24kSntJoP4pzeumTeHHKTLPv2FT3lfBW7cDh6cBZ62Dv15P1EopgZwirNrmZTFox
Hm0rmIh4WFQrtQ8TxNAKfBIq32hxL51bfJRctKgQGc/VDaQ2MoV2cSTZSF+6CQn8
E2wvAgMBAAGjggEWMIIBEjALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBgGA1UdIAQRMA8wDQYLKoY6AIl7ZQADAQEwNwYDVR0fBDAw
LjAsoCqgKIYmaHR0cDovL2NybC5uaHMudWsvbGl2ZS8xYy9jcmxjNDUxOS5jcmww
KwYDVR0QBCQwIoAPMjAyMjEyMTIxNTU2MjVagQ8yMDIzMTIyNTEyNTc1M1owHwYD
VR0jBBgwFoAUummj43rifD03V1Jv6fMTZEzhwLUwHQYDVR0OBBYEFNZdTAjy6Qt2
K/kPx7eoIPC6WnwRMAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjguMwMC
BLAwDQYJKoZIhvcNAQELBQADggEBAEO5dJfCpEXu5PvYXvh0iHMLGeNd00ghyfMH
9F8rLw3LVTEWlrkOg1d76wEuHeBo2pM1A5YFvBkv+FpDxcKizqHXlryXZxIdkfMw
GEFIPBK+wdZAFDcKXlSZZUvUpvpC6MycJHN3i5sgE8jkugfmTZvc0orjg2pgh4y8
vsBI/yY8M4hqxF0fUd9msVo0tvCf8gNfMmRYN/3XfUrGtUjjBmXVj7GsKoijBqzS
ynbcbOis4iXQJz78K2lGMw0sGx44C7e+L+Bd/gr9B+locaEHXuDMYY/lH+ckcFGT
XOLsRJNdE3hyGSUwn7eCJA8La5XLrjo9EgfVo6GKX4sX1L+Ibtw=
-----END CERTIFICATE-----

back to top