Parameters for /auth endPoint -

I am following this documentation to trey and set up mock authentication for local development.

When I make the call to the /keycloak-client-credentials endpoitn I get back a client id and secret that is not the one associated with by api key as set up for the application. However the instructions are very clear that this has to be used.

The redirect uri is to a generic url (that does not exist) and not to the redirect that I would use for authentication.

If I use all these value as they are the call doesn’t throw any errors - but obviously also doesn’t do a mock login.

If I change the values to my clientId, secret and redirect Uri then the login call fails. Changing just the redirect url with a redirect uri invalid message, client id with an invalid client id message.

Does anyone have an example of this in use?

Hi, could you share the url including the redirect uri but without the client secret to help us identify the problem?

I have had to get on with some work, and create a work around for local login, so I no longer have the calls.

The steps I took were:

  1. made sure that mock-jwks (sandbox Environment) was enabled for my application
  2. called with my api key.

this returned the client id, secret and redirect url that are the default.

My redirect url is a localhost one - which we use ngrok to set on the application settings - so providing it won’t really help you.

Is there a missing step in the documentation where somehow you would get the clientid, secret and redirect url for your own application?

Thanks for that! I think the issue is with mock-jwks (sandbox Environment) being enabled. According to the documentation the application registered must have mock-jwks (Int Environment) added to the list of enabled APIs.

Our application is set up for Environment Sandbox - so that api is not available to us.

I suspect that you can only use the new mock api when you have a fully configured sandpit registered app - with a redirect url that has been set up by the NHS team and cannot be altered by us - I just tried creating a new instance of the app for sandpit and registered the api - and the response was:

curl --location --request GET ‘’ --header ‘apikey:{{mey api key}}’

{“cis2”: {“client_id”:“pytest-nhsd-apim”,“client_secret”:“8af96060-a045-4ccf-9069-aa70cef39a6f”,“redirect_uri”:“”}, “nhs-login”: {“client_id”:“pytest-nhsd-apim”,“client_secret”:“8332c425-d69e-46ef-9241-69998fa81018”,“redirect_uri”:“”} }

the same as I got when using the sandbox endpoint

I just re tested using the credentials I got back then and the redirecturl has to be the one given - so we can’t redirect back to our own endpoint.

If your app is set up in sandbox environment could you give a try

That’s what I started with - and got the same outcome.

The redirect url is always that dummy url (as shown in all the examples) not the redirect url I have defined for my application.

I think the redirect url should be the one defined in the dev portal, can I have the app-id to check if it’d been updated in Apigee?

the sandbox application id is 68f5b6e3-57b1-4ac9-b2f1-4e952a92c849

The redirect URL changes each time the app is built as it is a redirect to a locally hosted solution ( this is a development environment)

Could I also get your client credentials(client id and secret) for that sandbox app with id 68f5b6e3-57b1-4ac9-b2f1-4e952a92c849, we are checking if something is going wrong in the backend.

Hi Aleks
I am unable to find the mock-jwks in the Add API list of my application (Integration test environment)? Is there any other step that’s require to enable this API?



Hi Aleks - sorry for the delay here are my Sandbox credentials:
application id: 68f5b6e3-57b1-4ac9-b2f1-4e952a92c849

key - kort8HNxwts01aE7vFpaILyekxnTBR8i
secret: UHaSLQmUZ7xTbK6V

Hi Anna. Apologies for the delay in response. The redirect uri for the environment should be the one that comes back from mock-jwks as the way the mocks work it has to match that (for sandbox as you say it is - this isn’t how it would work when using the real nhs login but should work to get a token to test as you need. Please note that unless you’re doing the hello-world tutorial then all sandbox apis are not protected with auth so an integration app may be the way to go.

Hi Jeff, is this still an issue? Some times it takes some time to show the apis after the app is created. If it’s still an issue send your app id over and I’ll attach it

How would that work - if I redirect to that uri then I don’t get back to my app - do you have a working code example?

Hi Anna. Can you try this again using your own redirect. I may have fixed it

Hi @alex.carrie sorry for the delay - Busy on other projects - no change I’m afraid - when I check the response from curl --location --request GET ‘’ --header ‘apikey: kort8HNxwts01aE7vFpaILyekxnTBR8i’ -which is my Sandbox api key - I still get the dummy redirect uri.

Thinking that perhaps that didn’t matter and I could redirect where ever I have tried it and get the error response:

Invalid parameter: redirect_uri

This is getting to be an issue as developers need to get working - can you think what could be wrong?

Once again the steps I have taken are:

  1. made sure that mock-jwks (sandbox Environment) was enabled for my application
  2. called with my api key. This returned the client id, secret and redirect url that are the default - not the ones I have set up for my application.

Used client id and secret from that for my api call - as that is what the documentation says to do - but it also says to use that redirect uri - but as the documentation goes on to say After entering a valid set of credentials for a user, the browser navigates to the redirect_uri provided in the authorization call, with an authorization_code as a query parameter.

That redirect uri is a dummy one - so it gets me nowhere :smiley:

Could you try and set up an application with a connection to sandbox and follow your instructions to work out why they lead me to this point - I am probably missing something really obvious.

@alex.carrie have you had a chance to look at this again? It is turning into a major blocker for our wayfinder development

Hi Anna. Apologies, unfortunate timing, I’ve been on leave since your reply and have just got back in today. I’ll get someone to look at it as soon as they can. I would proceed with your integration with nhs login though and not treat this as a blocker. This is really only to demonstrate how it will work when using nhs login in the integration environment