FHIR API request A004 Error 500

e-Referral Service (e-RS) e-Referral Service FHIR API
1

Hi Support

Happy New Year to all :blush:

For Blackpool Teaching Hospital (ODS-RXL) we are receiving and error 500 for FHIR API request A004 using Application Restricted Access.

Other User Restricted API call are ok, just this one which is application restricted access we are running in Blackpool Teaching Hospital DEP environment.

Please see log details below for x-correlation-id.

Kind Regards,

Sean

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - ====================================================================================

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Processing eReferral FHIR API request A004RetrieveReferenceData

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - ====================================================================================

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Request Properties:

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - -------------------

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Accept: application/fhir+json

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - NHSD-End-User-Organisation-ODS: RXL

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - x-correlation-id: 76534A24-FEB6-4579-82B7-4AFEE1513D0B

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - -------------------

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Request Body:

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - -------------------

2026-01-09 16:45:40,434 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway -

2026-01-09 16:45:40,435 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - -------------------

2026-01-09 16:45:40,435 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - HTTP Method :GET

2026-01-09 16:45:40,435 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - HTTP Properties :{Accept=[application/fhir+json], NHSD-End-User-Organisation-ODS=[RXL], x-correlation-id=[76534A24-FEB6-4579-82B7-4AFEE1513D0B]}

2026-01-09 16:45:40,435 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - HTTP Url :https://dep.api.service.nhs.uk/referrals-dep/FHIR/STU3/CodeSystem/eRS-ReviewOutcome-1

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Response Header Fields…

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: null

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: HTTP/1.1 500

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: X-Request-ID

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: 2694484e-b5c0-47aa-9dbc-2efb215cbc28-1

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: X-Correlation-ID

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: 76534A24-FEB6-4579-82B7-4AFEE1513D0B

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: X-Content-Type-Options

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: nosniff

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Connection

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: keep-alive

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Pragma

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: no-cache

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Date

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: Fri, 09 Jan 2026 16:45:41 GMT

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: X-Frame-Options

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: DENY

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Strict-Transport-Security

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: max-age=31536000; includeSubDomains

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Cache-Control

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: no-cache, no-store, max-age=0, must-revalidate

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Expires

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: 0

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: X-XSS-Protection

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: 0

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Header: Content-Length

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway - Value: 0

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] INFO com.ims.ers.server.servlet.MaxApiHubGateway -

2026-01-09 16:45:41,824 [http-nio-8183-exec-8] ERROR com.ims.ers.server.servlet.MaxApiHubGateway - Request failed with response code: 500

2

Hi Sean,
I checked the DEP logs for X-Correlation-ID 76534A24-FEB6-4579-82B7-4AFEE1513D0B (ASID 20000001728). The call is definitely being handled as application-restricted access, but it fails during sessionless identity resolution.The backend is returning:

The request is invalid… Could not find specified user, userId=418671679037” (ODS RXL)

This same error shows up for multiple A004 reference data requests (SPECIALTY, PRIORITY, CLINIC-TYPE, etc.), so it doesn’t look specific to eRS-ReviewOutcome-1 or a particular CodeSystem value. My recommendation would be to check the application restricted configuration for the ASID in DEP and ensure it is mapped to a valid “Provider Authorised Application“ identity for ODS RXL(and that the mapped user/service identity exists and is active in DEP).

Thank you,
Petko

3

Hi Petko,

We have confirmed that the application is setup correctly and using the correct configuration for DEP.

The customer has confirmed that the userid is valid for ODS RXL however for the Live environment.

We don’t have access to the ASID that is being used in DEP , that typically would be configured by NHS eRSPartners?

Please advise,

Regards,
Sean

4

Hi Support, the 500 error is resolved , however we are now getting a 403 response, all other user restricted API’s are ok, it’s just the application restricted we are having issues with.

Please review the response below.

====================================================================================
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: Request Properties:
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: -------------------
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: Accept: application/fhir+json
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: NHSD-End-User-Organisation-ODS: RXL
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: x-correlation-id: FE6B9763-C982-4F8C-8BD7-9A394A1E339B
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: -------------------
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: Request Body:
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]: -------------------
2026-02-25 12:21:43,192 INFO [http-nio-8183-exec-8]:
2026-02-25 12:21:43,193 INFO [http-nio-8183-exec-8]: -------------------
2026-02-25 12:21:43,193 INFO [http-nio-8183-exec-8]: HTTP Method :GET
2026-02-25 12:21:43,193 INFO [http-nio-8183-exec-8]: HTTP Properties :{Accept=[application/fhir+json], NHSD-End-User-Organisation-ODS=[RXL], x-correlation-id=[FE6B9763-C982-4F8C-8BD7-9A394A1E339B]}
2026-02-25 12:21:43,193 INFO [http-nio-8183-exec-8]: HTTP Url :https://dep.api.service.nhs.uk/referrals-dep/FHIR/STU3/CodeSystem/SPECIALTY
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Response Header Fields…
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: null
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: HTTP/1.1 403
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: X-Request-ID
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: 88a989b7-0afa-4af5-8c7a-fa1cfad6902e-1
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: X-Correlation-ID
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: FE6B9763-C982-4F8C-8BD7-9A394A1E339B
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: X-Content-Type-Options
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: nosniff
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Connection
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: keep-alive
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Pragma
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: no-cache
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Date
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: Wed, 25 Feb 2026 12:21:43 GMT
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: X-Frame-Options
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: DENY
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Strict-Transport-Security
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: max-age=31536000; includeSubDomains
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Cache-Control
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: no-cache, no-store, max-age=0, must-revalidate
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Expires
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: 0
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: X-XSS-Protection
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: 0
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Content-Length
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: 415
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Header: Content-Type
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]: Value: application/fhir+json
2026-02-25 12:21:43,318 INFO [http-nio-8183-exec-8]:

2026-02-25 12:21:43,318 ERROR [http-nio-8183-exec-8]: Request failed with response code: 403
2026-02-25 12:21:43,318 ERROR [http-nio-8183-exec-8]: Response message: null
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: Error stream content:
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: {“meta”:{“profile”:[“Canonical - SIMPLIFIER.NET (20000001728) or Certificate FQDN (dep.apigee.client.ers.nhs.uk) provided is invalid.”}]}
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: Keys and Values in error stream:
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: meta: (Object)
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: profile: [“Canonical - SIMPLIFIER.NET]
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: resourceType: “OperationOutcome”
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: issue: [{“severity”:“error”,“code”:“forbidden”,“details”:{“coding”:[{“code”:“FORBIDDEN”,“system”:“Canonical - SIMPLIFIER.NET (20000001728) or Certificate FQDN (dep.apigee.client.ers.nhs.uk) provided is invalid.”}]
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: A004RETRIEVEREFERENCEDATA - Error Response: 403
2026-02-25 12:21:43,319 ERROR [http-nio-8183-exec-8]: A004RETRIEVEREFERENCEDATA - Error Response: 403
java.io.IOException: A004RETRIEVEREFERENCEDATA - Error Response: 403

5

@sean.nesbitt

@Petko_Petkov or @Ed_Wills are you able to investigate the above please?

6

Yeah no problem, having a look now

1 Like
7

Hi @tony.marsh1 ,

The error message states either ASID or FQDN certificate is invalid. Based on previous responses of the ASID working, can we confirm that the FQDN certificate is correct also.

Has the Apigee client certificate for the DEP environment been rotated recently?

If so, did the rotation result in a new FQDN that differs from dep.apigee.client.ers.nhs.uk?

The e-RS backend validates the FQDN by looking up an nhsMHS record in SDS and matching its party key against the nhsAS record for the ASID. If the certificate changed and the FQDN is different, or the nhsMHS record wasn’t updated to match, that would cause this 403.

2 Likes
8

thanks Ed - FYI @sean.nesbitt can you check the above? :slight_smile:

9

Hi @Ed_Wills

It looks like the ASID is incorrect , it should be 200000001728

Kind Regards,
Sean

1 Like
10

Let me check - might not be right here, but correct on your app.

11

Hi Sean, you are quite right, I am so sorry we didnt spot the missing zero. I’ve sent a request to the APIM to amend the asid now, hopefully be updated tomorrow.

12

(post deleted by author)

13

Hi Tony @tony.marsh1

no problem at all, we will monitor today and hope to see it working later.

Thanks for your support,

Kind Regards,
Sean

14

Thanks for your understanding - I can see APIM team have picked the ticket up - I will reply on here once its complete and ready for a retry

15

@sean.nesbitt Ready to re-try