API key authentication not working?

I am trying to call the PDS API using api key authentication as outlined in

Application-restricted RESTful APIs - API key authentication - NHS England Digital.

Each time I do it I get an operation outcome that says ‘Missing Authorization header’. Why do I need an authorization header if you are using api key authentication?

API Key authentication seems to work ok with the Organisation Data Terminology API

Can you include an example post request?

From Postman…

GET /personal-demographics/FHIR/R4/Patient/9449305889 HTTP/1.1

NHSD-Session-URID: 1234567
X-Request-ID: 8a39e066-557a-48ca-90e5-423e2d575300
X-Correlation-ID: f1b80841-ac3b-4434-a953-e9e3dd802b7d
NHSD-End-User-Organisation-ODS: RR8
Accept: application/fhir+json
apikey:
User-Agent: PostmanRuntime/7.42.0
Cache-Control: no-cache
Host: int.api.service.nhs.uk
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

HTTP/1.1 401 Unauthorized
Date: Wed, 13 Nov 2024 08:31:55 GMT
Content-Type: application/json
Content-Length: 587
Connection: keep-alive
WWW-Authenticate: Bearer realm=“null”,error=“invalid_token”,error_description=“oauth.v2.InvalidAccessToken: Invalid access token”
X-Correlation-ID: f1b80841-ac3b-4434-a953-e9e3dd802b7d
X-Request-ID: 8a39e066-557a-48ca-90e5-423e2d575300
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
“resourceType”: “OperationOutcome”,
“issue”: [
{
“severity”: “error”,
“code”: “forbidden”,
“details”: {
“coding”: [
{
“system”: “https://fhir.nhs.uk/R4/CodeSystem/Spine-ErrorOrWarningCode”,
“version”: “1”,
“code”: “ACCESS_DENIED”,
“display”: “Access Denied - Unauthorised”
}
]
},
“diagnostics”: “Missing Authorization header”
}
]
}

Hi,

Thanks for you patience with this.

Unfortunately, the documentation was recently edited, adding this security pattern erroneously.

Due to the sensitive and personal nature of the data returned in this API, your app can only use the “signed JWT authentication” pattern in restricted access mode.

I have logged a ticket for the documentation to be corrected.

Thanks

No worries. Thanks for the update.

This change has now been made and the published documentation should reflect this within the hour.