APIM - Authorisation Server API

Kevin_Mayfield · 25 March 2025 07:00

Is this available as an API by itself?

Many APIM API’s follow https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation

I’m working on a regional system (NHS England North West GMSA) which will involve many enterprise service bus (ESB) (more commonly known within the region as Trust Integration Engines (TIE)) communicating with each other.

We intend to support the same security and authorisation mechanism (but for application restricted only, as all the ESB/TIE.

Longer term we plan to add a NHS England APIM API to our system (which to us will be another ESB/TIE). So it makes some sense to use the same authorisation server as this service would use.

aubyn.crawford · 25 March 2025 12:01

Kevin,

There are currently no plans (as such) to allow APIM access tokens to be used by other resource servers. There are clear benefits, but the key reasons why there not at this point in time:

Third parties need to manage their own authorisation
There isn’t a clear national proposal on how to manage this
If we were to put a system in place, we would want to use OAuth token exchange ( RFC 8693), which has two benefits:
- The third party implements their own OAuth server
- Helps reinforce the responsibilities split for authorisation

Kevin_Mayfield · 25 March 2025 15:26

many thanks for your prompt reply

Topic		Replies	Views
Confirm next steps for e-RS integration e-Referral Service (e-RS)	1	215	18 March 2024
Guidance on Integrating Third-Party Applications with NHS APIs API Platform fhir	1	106	18 March 2025
CIS2 combined authentication and authorisation with standalone java program Care Identity Service (CIS2)	2	32	7 November 2024
Partner or Transactional APIs? API Platform	1	61	1 November 2024
oAuth2 NHS Mail API Platform authentication	1	92	31 October 2024

APIM - Authorisation Server API

Related topics