Retrieving Referrals for review in INT (A008, FHIR STU3)

e-Referral Service (e-RS) e-Referral Service FHIR API
1

We’ve got set up with trust and GP roles in the INT environment, and are now getting our code that worked in the sandbox to retrieve referrals sent to the trust in INT.

No matter what I do I seem to get a 401 error back from the query. I don’t think this can be a problem with the auth token, as it worked OK querying the sandbox.

I wonder if our API token needs to be granted access to our INT trust / service ? Our ERS service id that we set up in the trust is 6711327

Our most recent correlation id was 92c64e6e-b59c-43f3-9648-c112dd11c7f8

2

Hi @tc1 Have you onboarded with us and followed the steps here? Please have a read through, if you have not already.

https://digital.nhs.uk/services/e-referral-service/api/integration-process/stage-2-build

If you have - do you have an application ID

3

Yup, the application id is 476f2265-5f93-4379-8472-571a36dbb459

4

Hi TC1 - this will need a DEV to check the 401 correlation ID - did anything else come up in the error - any additional message?

This is an app restricted endpoint - so imporant that you are referring into the trust provided via the test data - in which this case is H3G9K

5

Yup, I’m attempting to use H3G9K so the query looks like

{
	"name": "service",
	"valueIdentifier": {
			"system": "http://fhir.nhs.net/Id/ers-service",
			"value": "6711327"
	}
}

Thanks for engaging with someone there to find out why it’s failing. I think I’m just getting the 401 error without any body.

6

Good Morning, I am having a look through this now.

7

Hi tc1,

Thanks for the detail so far, there are a couple of things that i believe would help us investigate further:

  1. Could you share the full request headers you’re sending? This will help us rule out any formatting issues on the auth token and confirm all the required NHS headers are present.

  2. Have you explicitly contacted england.nhserspartners@nhs.net to request that the relevant e-RS interactions are added to your INT application (app ID: 476f2265-5f93-4379-8472-571a36dbb459)? This doesn’t happen automatically when moving from sandbox to INT, and is a common cause of exactly this kind of 401 with no response body.

Thanks,

George

8

Here’s the full headers:

{"Accept":"application/fhir+json","Content-Type":"application/fhir+json","authorization":"Bearer zT6NCTflzURLSirZfoS80e903YLG","x-correlation-id":"25627c78-d848-4af7-b0a6-c5bb3f0f3f7e","User-Agent":"axios/1.13.2","Content-Length":"407","Accept-Encoding":"gzip, compress, deflate, br"}

And body

{“resourceType”:“Parameters”,“meta”:{“profile”:[“``https://fhir.nhs.uk/STU3/StructureDefinition/eRS-FetchWorklist-Parameters-1"]},“parameter”:[{“name”:“listType”,“valueCodeableConcept”:{“coding”:[{“system”:“https://fhir.nhs.uk/STU3/CodeSystem/eRS-ReferralListSelector-1”,“code”:“REFERRALS_FOR_REVIEW”}]}},{“name”:“service”,“valueIdentifier”:{“system”:“http://fhir.nhs.net/Id/ers-service”,“value”:"6711327”``}}]}

I’d not added the JSON key to the application in the onboarding site, I have now but no change even after waiting a little while.

I’ve just emailed in the details of our app id and public key URL.
For what it’s worth the docs at https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-3-register-your-public-key-with-us say to only contact for production access.

9

There are no problems I can see with the Headers and Body, I think for now it is best to wait to hear what the partners come back with. Apologies for the inconvenience caused.

10

Hi both, I’ve checked the application 476f2265-5f93-4379-8472-571a36dbb459 and it is set up correctly for e-RS - Application-restricted. I can also confirm the ASID linked has the latest e-RS interactions.

11

I think I may have had the wrong iss/sub in the JWT payload sent to https://int.api.service.nhs.uk/oauth2 to get a bearer token. I’ve re-copied from the developer portal, and things are a lot healthier.
Thanks for helping to rule out a bunch of other things.

Is the security modal going to be the same for live, so once we’ve completed the onboarding all we need from a partner trust is their eRS service ID to retrieve work lists ?