We just intercepted one of the failing token requests:
Request:
Content-Type: application/x-www-form-urlencoded
Host: int.api.service.nhs.uk
Content-Length: 1071
Expect: 100-continue
grant_type=client_credentials&client_id=teBiLdwPDffW33ggap6jp4BujsHV2j11&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJSUzUxMiIsImprdSI6Imh0dHBzOi8vZXBpY3Byb3h5LW5wLmVzbmVmdC5uaHMudWsvT0F1dGgyLVBPQy9vYXV0aDIva2V5cy8yLzc4ODc5RTgzRTU1ODdDODU5QTkyNEJDRDgxOTZFREJCIiwia2lkIjoib3QweFZ2N0FCbG9jZlNFeEt4YkIrVE9nTm12R0FEbGQ0dDVDcjBkZ2cxUT0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2ludC5hcGkuc2VydmljZS5uaHMudWsvb2F1dGgyL3Rva2VuIiwiZXhwIjoxNzQyMjEzODc1LCJpYXQiOjE3NDIyMTM3NTUsImlzcyI6InRlQmlMZHdQRGZmVzMzZ2dhcDZqcDRCdWpzSFYyajExIiwianRpIjoiYTJhMTY4MjMtYTgwMC00OTE3LThmZDUtNTc1N2M4YjMxY2M4IiwibmJmIjoxNzQyMjEzNjk1LCJzdWIiOiJ0ZUJpTGR3UERmZlczM2dnYXA2anA0QnVqc0hWMmoxMSJ9.vs2RwJJb8ZF0UToFQ2vxI0rC32IjiCB3v-0wVucnVwTnJOXrt7XTQto_b0lFMfnoBCHyriWr2KhRuUIRgODVLv2JnKHK6ZNK5VIWdmRYwm4wa_UbHuqQ-6d9I4Mjp-JpocJEkvHS9XObSz9b5U93nk39xVQJzNPfIiwcXOfnBT0sJ5Az2bo1ieuZ9RgNViDjaIrtHRitxkHhSNY21-TlNlrVQ-6qr7UvY7Sr54FOr-Jj5tuHTRr-P14aSY7CTP6a2oL5Ep9Ab2Eqp-PwNJZ1FeV03TiQOKLJ1xR754hqSnGuvM62BpoDG5_vc0-qKkpn4n0AL5aL64AO_Nb91tvURw
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 17 Mar 2025 12:15:55 GMT
Content-Type: application/json
Content-Length: 237
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains
{
"error": "public_key error",
"error_description": "The JWKS endpoint, for your client_assertion can't be reached",
"message_id": "rrt-5733186035035051424-a-geu2-1852433-7579831-1"
}
If you decode the jwt header on the client assertion we’re sending, you get the following:
{
“alg”: “RS512”,
“jku”: https://epicproxy-np.esneft.nhs.uk/OAuth2-POC/oauth2/keys/2/78879E83E5587C859A924BCD8196EDBB,
“kid”: “ot0xVv7ABlocfSExKxbB+TOgNmvGADld4t5Cr0dgg1Q=”,
“typ”: “JWT”
}
This URL is accessible for me. Is there something that needs to be opened up on the NHS side before this can retrieved?
Hi Mark,
I’ve moved this into the API Platform category as this not an e-RS related question but relates to authenticating with the platform.
Thanks,
Adam.
Hi Mark,
To help us investigate this further, can you confirm that you’ve setup a JWKS endpoint for authentication with us?
Is that url the same as the jku url above?
Can you share the URL with us - if its not the same.
Thanks,
NHS England API Platform team
Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.
Hello
Many thanks for your response.
I can confirm that the URL is:
https://epicproxy-np.esneft.nhs.uk/OAuth2-POC/oauth2/keys/2/78879E83E5587C859A924BCD8196EDBB
The above has been registered on the NHS developer hub website and is associated with our public key URL.
Thanks
Mark
Hi Mark,
I noticed there is an additional space in the JWKS url which I have removed. Kindly check if the token request is successful now.
If you continue to see the same error, it could be due to misconfiguration of the public key as the error message suggests. This may be because the JWKS is not correctly configured (verify the public key modulus) or probably the original public key used to generate the JWKS has an issue.
Please refer the page for more details on key generation: https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-2-generate-a-key-pair
Kindly let us know if there are further issues.
Thanks,
Vini Akshara
Hello
Many thanks, I can confirm that we are no longer seeing the error regarding the JWKS endpoint, instead we are receiving an HTTP 500 back when commincating with:
https://int.api.service.nhs.uk/referrals/FHIR/STU3/ReferralRequest/000049796946
The response contains the following:
“fault”:{“faultstring”:“Unresolved variable : app.app-restricted-user-id”,“detail”:{“errorcode”:“entities.UnresolvedVariable”}}}
The application ID’s are:
Epic ERS Application Test - Healthcare Worker - INT: - ca1a2888-ed86-4df1-aeaf-ca2a9c0351ca
Epic ERS Integration Test - INT - 2646cf39-18b4-472d-b51b-145d8d0fcec1
Thanks
Mark
1 Like
@adam.oldfield Would you mind having a look at this one. The application does have a UUID and is bound - on the face of it, looks correct. I’ve requested ITOC create a new UUID - just in case something strange is happening.
@MARK_ISAACS Could you also post a correlation ID for the error too? This will help Adam or his colleagues.
Hello @tony.marsh1 @adam.oldfield
An example on the error from 09/04/202513:03:59.226 has an X-Correlation-Id value of 00000000005A67FB8604230E041327D8.
Hope this helps.
1 Like
Additional info on the case:
The referred from/to details for the UBRN’s would be:
Referred From: Kings College Health Centre – E87768
Referred To: TD008807 Test Trust 019 – M3P5X
The error presents for all UBRN’s we are testing with, not just the example provided.
On the an error we witnessed on 09/04/202513:03:59.226 there was an X-Correlation-Id value of 00000000005A67FB8604230E041327D8
Hi @tony.marsh1,
It looks like this is a minor issue in the way the app-restricted-user-id property has been configured by the APIM team. I can see the property key has a trailing space i.e. "app-restricted-user-id ". You will need to ask the APIM team to fix this @tony.marsh1 .
Regards,
Adam.
Hi Adam,
Thanks for checking on this.
Hi Mark,
I have removed the trailing space from the attribute on the app: 2646cf39-18b4-472d-b51b-145d8d0fcec1. Could you please retry now.
Thanks,
Vini Akshara Kannan
Hi I raised a service request for this, so please ignore it, if you’ve already changed it (RITM0250287) 
@Vini_Akshara_Kannan