NHS Booking and Referral Standard

Guide v1.8.1 | Core v1.1.5 | Package v1.34.0

Sender

The BaRS standard uses an application-restricted security model and security pattern as opposed to a user-restricted security model. This means the application is authenticated as opposed to the end-user using it. The high level steps for a sending application are defined below:

  1. The end user launches the calling application
  2. Time passes, until the user needs to interact with BaRS
  3. The calling application generates and signs a JWT, using its own private key
  4. The calling application calls our OAuth 2.0 token endpoint with the signed JWT. In particular, this uses the OAuth 2.0 client credentials flow
  5. We check the signature against the application's public key and, if valid, return an access token to the calling application
  6. The calling application calls the BaRS API, including the access token
  7. The BaRS API allows the interaction should the access token be valid


back to top