Hi,
We have recently completed the onboarding for the Organisation Data Terminology - FHIR API for the “Production” environment. From this we have 1 “Application” in the developer portal and an API key which we need to plug into our application, so now I am considering different environments.
I am not clear if I can use this one API key we got from the developer portal against the different environments of our product (local, dev, uat, training, prod etc.) or whether I need to also obtain a key for your “Integration (INT)” environment.
https://digital.nhs.uk/developer/guides-and-documentation/testing says “Do not share applications between environments.“ but I’m not sure which “applications” or “environments” that’s referring too. Is it the “Application” in the developer portal, or is it our application? And is it your sandbox/int/production environment or our environments (e.g. local, uat, prod, training). Can you clarify this statement?
Basically, is there any harm in using the production API key I obtained for use against all our application environments, or, am I required to also get approved for an integration API key?
In terms of practical application, I can’t see how accessing the production environment would be any different to the integration (INT) environment for this particular API as all I am doing is retrieving read only information from you.
Thanks,
Hi Laura,
You shouldn’t be able to use your API Key generated for the Production environment in the INT environment and vice versa. The developer portal advises an application be created per environment you require, and an API key is issued per application and environment (except Sandbox).
Environments available for Organisation Data Terminology - FHIR R4 API:
-
Sandbox - open-access, no API key required to access. This environment provides a quick, easy way to explore the API and judge its suitability for requirements.
-
Integration (INT) - requires an API Key to access, but an onboarding assessment isn’t required to be submitted to use the API Key and access. Once an application is created for the INT environment in the developer portal, the API Key is available (within the ‘Environment Access’ tab, select the application / product name, and then ‘Edit’ against 'Active API Keys). This is a more realistic environment, closely mirroring the Production environment that consumers can carry out more formal integration testing of their software within.
-
Production - the live API. This environment should be used in any live instance of your software once satisfied with prior testing. Once an application is created for the Production environment in the developer portal, the API key is available (within the ‘Environment Access’ tab, select the application / product name, and then ‘Edit’ against 'Active API Keys) but it isn’t enabled for access to the Production environment until an onboarding assessment has been submitted and approved in the Digital Onboarding Service.
In summary, the sandbox is open-access for exploration (no API key required). The INT environment allows for thorough testing without the need to onboard (API key required). The Production environment is the live API that requires onboarding to access (API key required).
As the API is read-only, the Production environment may be used for some test purposes. Please note, however, that monitoring and rate limits apply in the Production environment. The Production environment’s not intended for end-to-end testing and any extensive testing in this environment could trigger alerts. We’d recommend using the INT environment for end-to-end testing, performance testing, etc. This is what “Do not share applications between environments” relates to - you can create an application in the developer portal for each of your local environments e.g. Product A - INT, Product A - Production.
Thanks.
Hi,
Thanks for you response.
I still don’t think I understand the “Do not share applications between environments” statement, but I understand what you mean on configuring the environments (I assume only prod should use production). Are there any rate limits on the INT environment I should be aware of?
For this particular API, is that the only difference between INT and Production (the rate limit)?
Thanks,
Hi Laura,
Our API supplier have advised that the INT environment contains the full scope of data and is functionally representative of the Production environment, including rate limits.
They also confirmed that monitoring and alerts are enabled in INT, but with less severe impact and higher thresholds. This means INT is designed to tolerate high-volume testing, whereas the Production environment should be reserved for live use cases. Repeated or heavy test activity in Production can affect system performance, distort monitoring thresholds, and generate false alerts.
The guidance to “not share applications between environments” aligns with the recommended approach of configuring each of your local environments against the most appropriate API environment (Sandbox, INT, Prod). The webpage containing that guidance is authored by NHSE’s API Management (APIM) team who own the Digital Onboarding Service.
Thanks,
Sophie