INT eRS and Application Authenticated Issues

Hi team,

We’re integrating application-restricted (unattended) access to the e-Referral Service FHIR API in the Integration Test environment, and all our calls are failing with a 500 REC_SERVER_ERROR from the e-RS backend. We believe the remaining issue is server-side configuration and would appreciate your help.

Application details

Application name: FDSAPPLICATIONAUTHONLY

Application ID: cf907a72-9d48-4bcf-b3b3-bf6f48b97fee

Environment: Integration test

Connected API: e-Referral Service - Application Restricted (Integration Testing) — Enabled

Owner: FDS CIS2 TEAM

What we’ve configured and verified

Signed-JWT (RS512) client credentials authentication succeeds — we obtain an access token from https://int.api.service.nhs.uk/oauth2/token without errors.

The custom attributes asid, app-restricted-ods-code, and app-restricted-user-id are set on the application. We worked through the “Unresolved variable” gateway errors for each of these, so we know the attributes are now being resolved by the proxy.

Requests send only the Authorization header (no NHSD-End-User-Organisation-ODS or NHSD-eRS-Business-Function), per the application-restricted specification.

The problem

Every application-restricted endpoint we call returns 500 with REC_SERVER_ERROR, for example (all times UTC, 5 July 2026):

GET /referrals/FHIR/R4/HealthcareService/6710419 (A033) at 15:51:34 → 500 REC_SERVER_ERROR

GET /referrals/FHIR/R4/HealthcareService?_id=6710419 (A035) at 15:49:12 → 500 REC_SERVER_ERROR

GET /referrals/FHIR/STU3/ReferralRequest/9000000009 (A005) at ~15:53 → 500 (we’d expect a 404 here for an unknown UBRN, so the request appears to fail before resource lookup)

Service 6710419 exists in INT — we fetch it successfully via our user-restricted (Healthcare Worker) application.

Our suspicion

The asid attribute is currently set to 200000002295, which is the ASID accredited to our existing user-restricted application. Per your documentation, each access mode requires its own ASID with a one-to-one application binding, so we suspect this ASID isn’t accredited for application-restricted interactions and the Spine backend is rejecting the requests.

Request

Could you either provision/accredit an INT ASID for application-restricted access for this application, or correct the application’s backend setup as appropriate? Happy to provide correlation IDs or re-run test calls if that helps your investigation.

Our intended usage is read-only service lookup (A033/A035/A037) to support directory-of-service management in our application.