Hi Sarah. It sounds like you are on the right path to use the “Separate Authentication” process for gaining access to the APIs - User-restricted RESTful APIs - NHS Care Identity Service 2 separate authentication and authorisation - NHS Digital
What this means is that you authentication first with CIS2 Authentication, and get the idToken from that service. You can then exchange that token on the API platform to get access and refresh tokens for the API platform - you then use these for the APIs
So, to get started with this, you will need to onboard to both CIS2 Authentication, and the API platform, separately. Although this is now mostly done through the developer portal, you will need to talk to the CIS2 Authentication team - Apply to use NHS CIS2 Authentication - NHS Digital
Hope that helps.
Adrian.