Invalid client identifier when trying to authenticate for Application-restricted RESTful APIs sandbox environments

Anthony_Medhurst · 30 October 2025 13:35

Today when trying to continue development using the sandbox environments, when I go to authenticate, I am getting a 500 error: Invalid client identifier.

Request URL: https://sandbox.api.service.nhs.uk/oauth2/token
Method: POST
Response Content: “{“fault”:{“faultstring”:“Invalid client identifier {0}”,“detail”:{“errorcode”:“oauth.v2.InvalidClientIdentifier”}}}”

navin.bose · 2 December 2025 10:41

Hi Anthony,

Thanks for raising this and apologies for the late response to your post.

The error:

{
  "fault": {
    "faultstring": "Invalid client identifier {0}",
    "detail": {
      "errorcode": "oauth.v2.InvalidClientIdentifier"
    }
  }
}

means that the OAuth server in the sandbox environment doesn’t recognise the client identifier you are sending. In sandbox, this is almost always due to a mismatch or change in the API key / client_id.

Please check/try the following:

Use the API key as iss and sub

You generally do not send client_id in the body — the platform uses the JWT’s iss/sub to identify the client.
If you do send client_id, it must equal your sandbox API key, not the application GUID.

Check that your sandbox app & key still exist

Log into the NHS Developer Portal → Applications and confirm:

The application you’re using is still present
It has an active API key
That key is the same one you’re using in iss/sub in your JWT

If you recently regenerated or deleted/recreated the key, any old JWTs or stored config will now be invalid.

Raising a support ticket:

If you have verified all the above and still get Invalid client identifier, please raise a ticket via the NHS England Developer Help & Support / ServiceNow and include:

Application name and sandbox Application ID
The sandbox API key you’re using (first/last 4 chars only in the ticket)
A redacted sample JWT payload (header + body, without signature)
The exact cURL or HTTP request you are sending (with secrets removed)
Approximate timestamp of a failing call

This will let the API Platform team check whether:

The sandbox app is correctly registered with OAuth
The key is mapped correctly
There is any sandbox auth incident in progress

Hope the above helps.

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.

Topic		Replies	Views
Error with NHS Login Sandpit Api returns invalid_client_id NHS login authentication , fhir , jwt	3	129	10 January 2025
Error with NHS Login Sandpit Api NHS login testing , authentication , integration , jwt	2	751	29 December 2022
Unable to connect Hello World Personal Demographics Service (PDS) authentication	2	358	25 October 2023
How could I enable Sandbox for Care Identity Service (CIS2)? Care Identity Service (CIS)	13	411	8 April 2025
User-restricted NHS CIS2 separate authentication and authorisation - Java tutorial Care Identity Service (CIS) tutorials	2	31	3 December 2025

Invalid client identifier when trying to authenticate for Application-restricted RESTful APIs sandbox environments

Related topics