Hi team,
We’re integrating application-restricted (unattended) access to the e-Referral Service FHIR API in the Integration Test environment, and all our calls are failing with a 500 REC_SERVER_ERROR from the e-RS backend. We believe the remaining issue is server-side configuration and would appreciate your help.
Application details
Application name: FDSAPPLICATIONAUTHONLY
Application ID: cf907a72-9d48-4bcf-b3b3-bf6f48b97fee
Environment: Integration test
Connected API: e-Referral Service - Application Restricted (Integration Testing) — Enabled
Owner: FDS CIS2 TEAM
What we’ve configured and verified
Signed-JWT (RS512) client credentials authentication succeeds — we obtain an access token from https://int.api.service.nhs.uk/oauth2/token without errors.
The custom attributes asid, app-restricted-ods-code, and app-restricted-user-id are set on the application. We worked through the “Unresolved variable” gateway errors for each of these, so we know the attributes are now being resolved by the proxy.
Requests send only the Authorization header (no NHSD-End-User-Organisation-ODS or NHSD-eRS-Business-Function), per the application-restricted specification.
The problem
Every application-restricted endpoint we call returns 500 with REC_SERVER_ERROR, for example (all times UTC, 5 July 2026):
GET /referrals/FHIR/R4/HealthcareService/6710419 (A033) at 15:51:34 → 500 REC_SERVER_ERROR
GET /referrals/FHIR/R4/HealthcareService?_id=6710419 (A035) at 15:49:12 → 500 REC_SERVER_ERROR
GET /referrals/FHIR/STU3/ReferralRequest/9000000009 (A005) at ~15:53 → 500 (we’d expect a 404 here for an unknown UBRN, so the request appears to fail before resource lookup)
Service 6710419 exists in INT — we fetch it successfully via our user-restricted (Healthcare Worker) application.
Our suspicion
The asid attribute is currently set to 200000002295, which is the ASID accredited to our existing user-restricted application. Per your documentation, each access mode requires its own ASID with a one-to-one application binding, so we suspect this ASID isn’t accredited for application-restricted interactions and the Spine backend is rejecting the requests.
Request
Could you either provision/accredit an INT ASID for application-restricted access for this application, or correct the application’s backend setup as appropriate? Happy to provide correlation IDs or re-run test calls if that helps your investigation.
Our intended usage is read-only service lookup (A033/A035/A037) to support directory-of-service management in our application.