Guidance on Integrating Third-Party Applications with NHS APIs

Martyana_hjj · 20 February 2025 13:20

Hello everyone,

I am currently working on a project that involves integrating a third-party application with NHS systems using available APIs. While I have reviewed the official documentation, I am seeking additional guidance from those who have experience with this process.

Specifically, I would appreciate insights on the following:

Authentication and Security Best Practices – What are the recommended approaches for implementing authentication when accessing NHS APIs? Are there any common pitfalls to avoid when handling OAuth2 and JWT tokens?
FHIR Implementation Considerations – If the API follows FHIR standards, are there any NHS-specific adaptations or constraints that I should be aware of? Any challenges you faced when structuring requests and handling responses?
Sandbox vs. Production Environments – How accurate is the sandbox environment compared to the live system? Are there any significant differences that I should anticipate when transitioning from development to deployment?
Compliance and Data Handling – Beyond the standard NHS guidelines, are there any additional compliance requirements or best practices when dealing with patient data in an integrated solution?
Common Integration Challenges – If you have gone through the integration process, what were the most challenging aspects? Any workarounds or solutions that you found particularly useful?

I would greatly appreciate any advice, best practices, or documentation recommendations that could help streamline the integration process. Looking forward to learning from your experiences!

I also checked this: https://developer.community.nhs.uk/t/how-to-integrate-an-application-restricted-restful-apis-with-signed-jwt-authentication/power-apps

Thanks in advance for your help!

navin.bose · 18 March 2025 13:48

Hi Martyana,

Thank you for getting in touch with NHS England API Platform team.

As you may have probably gathered from the available documentation, integrating third-party applications with NHS APIs on the NHS API Platform depends on several factors, including the specific API you want to use, your organisation’s status, and whether you need access to patient-identifiable data etc.

The NHS API platform offers RESTful APIs with varying integration complexity due to several factors. Simpler APIs may only require basic authentication, while those handling sensitive patient data necessitate robust security measures like NHS Smartcards, OAuth 2.0, or JWT, along with compliance with NHS Digital standards such as DSPT and the IG Toolkit. Access is restricted to approved organizations, and while the use of FHIR promotes interoperability, it also requires developers to have familiarity with FHIR data structures.

We recommend that you start following the steps below first after which we can sequentially address any issues you come across:

Step 1: Identify the Right API

Visit the NHS API and integration catalogue.
Choose an API relevant to your needs (e.g., GP Connect, PDS (Personal Demographics Service), EPS (Electronic Prescription Service)).

Step 2: Check Access Requirements

Some APIs are public (e.g., NHS ODS Lookup).
Others require NHS organisational approval and IG compliance (e.g., GP Connect).
Review onboarding documentation on the NHS Digital Developer Portal.

Step 3: Register for an API Key

Sign up on the NHS Developer and integration hub.
Request sandbox access for testing.
If using FHIR-based APIs, use NHS’s recommended FHIR profiles.

Step 4: Security & Authentication Setup

NHS APIs use OAuth 2.0 (JWT Bearer Tokens) and/or Smartcards.
If needed, obtain an NHS-assigned authentication certificate.
Some APIs require integration with NHS Login or NHS Identity for authentication.

Step 5: Develop & Test in Sandbox

Use NHS-provided sandbox/testing environments for the API.
Ensure compliance with FHIR standards, API rate limits, and security policies.
Conduct penetration testing if required.

Step 6: Apply for Production Access

Submit a production access request to NHS API Platform.
Provide compliance evidence (e.g., DSPT completion, Cyber Essentials certification).
NHS API Platform team will conduct a technical and IG review before approval.

Step 7: Deploy & Monitor

Once approved, deploy your integration in a live NHS environment.
Monitor API usage, error logs, and compliance with NHS standards.

Some common challenges:

Access Restrictions – Some APIs are restricted to NHS-affiliated organisations.
Compliance Requirements – DSPT, GDPR, and NHS Digital’s security policies.
Complex Authentication – Certificate-based access, OAuth 2.0, and NHS Login integration.
FHIR Learning Curve – If your team is new to FHIR, additional development time may be needed.

I hope the above helps answer some of your queries and will help you kick-start your integration efforts. Each project has its nuances, so do keep an eye on potential edge cases like custom field extensions or legacy data formats. If you hit any specific roadblocks, feel free to share details, and the NHS Developer community or NHS API Platform teams can point you in the right direction.

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.

Topic		Replies	Views
Could Someone Give me Guidance on Integrating FHIR Standards with Custom Healthcare Applications? API Platform testing , fhir	3	58	2 September 2024
Partner or Transactional APIs? API Platform	1	57	1 November 2024
I want to start working on Partner APIs (ONLY EMIS) in Python API Platform developerhub , testing , fhir , integration , spine	1	92	30 August 2024
Which API should I enable win my Apps? General enquiries testing , fhir	4	427	13 March 2023
How do I integrate with the API Platform? e-Referral Service (e-RS) authentication , onboarding	2	647	4 March 2024