Hi,
I’ve been trying to get e-RS attachments A005, A042, A007 working with application restricted access; it was previously working with user restricted but we wanted to make this change. We’ve recently had a new INT application set up to this effect which was linked to our existing Org in INT (S7L0W) that already has an endpoint configured for e-RS HL7v3 messaging. We needed to extend this Org to use e-RS APIs so we can look towards full integration testing including existing interfaces.
After the new INT application was set up I’ve given it a go and I’m getting an error which I’m not sure about; I’m not sure whether it’s an issue with the Apigee setup or my request message (headers or token). Any advice would be appreciated.
@Ed_Wills
Hi,
Sorry that message I sent must have been a version where I was playing about trying to get it to work, below is an example with the token in the header. I think this is how it was previously working with User Restricted Access:
I’m still getting the same error:
“{“fault”:{“faultstring”:“Unresolved variable : app.app-restricted-ods-code”,“detail”:{“errorcode”:“entities.UnresolvedVariable”}}}”
Thanks for the extra info. The error "Unresolved variable : app.app-restricted-ods-code" indicates that the Apigee proxy can’t find the ODS code variable it expects for application-restricted access.
I double checked the setup screenshot that NHSERSPARTNERS shared with me and app-restricted-ods-code is set to S7L0W, App Status is approved, Product has “e-referrals-service-api-int-application-restricted”, it has an asid and app-restricted-user-id.
In onboarding.prod.api.platform.nhs.uk/MyApplication I can see that I’ve got the following active API - “e-Referral Service - Application Restricted ( Integration Testing ) but I can’t see any of the other information you’ve asked for.
I changed OAuth /token connection to use the key value from “Home > My applications and teams > MEDITECH - Expanse - INT - e-Referral Service - Application-Restricted > Edit API keys” as the Iss and Sub claim (it was previously still using the value for the user restricted INT application).
I’m now getting the below error.
"{ “resourceType”: “OperationOutcome”, “meta”: { “lastUpdated”: “2026-02-10T15:26:01.095Z”, “profile” : [ " FHIR Reference Server eRS-OperationOutcome-1 " ] }, “issue”: [ { “severity”: “error”, “code”: “forbidden”, “details”: { “coding”: [ { “system”: " FHIR Reference Server eRS API Error Code “, “code”: “NO_ACCESS” } ] }, “diagnostics”: “ASID is not configured in the application” } ] }”
Tony from onboarding team - one thing you could check is the specs on which org type is valid for app restricted, could you check which are allowed, it might be S7L0W is the incorrect type
This access mode has been introduced to allow a Partner application which has been registered with us and authenticated via signed JWT to interact with a subset of e-RS FHIR API endpoints in an unattended and read-only fashion. Application-restricted, unattended access should only be used when authenticating a human user (for example via smartcard) is not possible.
“Pre-requisites
Application-restricted access
In order to use this endpoint you must be an authenticated e-RS calling application, working in the context of a Service Provider Organisation.“
The link - registered with us - is blocked so I’m not sure what’s involved in that.
As far as I know our org is registered as an NHS Trust, this should be seen as a Service Provider?
Do you or Ed have any ideas of how to proceed? Could we maybe just hop on a call to look into this in real time?
The ASID is present on your end but the error says “ASID is not configured in the application“: