Retrieving Referrals for review in INT (A008, FHIR STU3)

e-Referral Service (e-RS) e-Referral Service FHIR API
1

We’ve got set up with trust and GP roles in the INT environment, and are now getting our code that worked in the sandbox to retrieve referrals sent to the trust in INT.

No matter what I do I seem to get a 401 error back from the query. I don’t think this can be a problem with the auth token, as it worked OK querying the sandbox.

I wonder if our API token needs to be granted access to our INT trust / service ? Our ERS service id that we set up in the trust is 6711327

Our most recent correlation id was 92c64e6e-b59c-43f3-9648-c112dd11c7f8

2

Hi @tc1 Have you onboarded with us and followed the steps here? Please have a read through, if you have not already.

https://digital.nhs.uk/services/e-referral-service/api/integration-process/stage-2-build

If you have - do you have an application ID

3

Yup, the application id is 476f2265-5f93-4379-8472-571a36dbb459

4

Hi TC1 - this will need a DEV to check the 401 correlation ID - did anything else come up in the error - any additional message?

This is an app restricted endpoint - so imporant that you are referring into the trust provided via the test data - in which this case is H3G9K

5

Yup, I’m attempting to use H3G9K so the query looks like

{
	"name": "service",
	"valueIdentifier": {
			"system": "http://fhir.nhs.net/Id/ers-service",
			"value": "6711327"
	}
}

Thanks for engaging with someone there to find out why it’s failing. I think I’m just getting the 401 error without any body.

6

Good Morning, I am having a look through this now.

7

Hi tc1,

Thanks for the detail so far, there are a couple of things that i believe would help us investigate further:

  1. Could you share the full request headers you’re sending? This will help us rule out any formatting issues on the auth token and confirm all the required NHS headers are present.

  2. Have you explicitly contacted england.nhserspartners@nhs.net to request that the relevant e-RS interactions are added to your INT application (app ID: 476f2265-5f93-4379-8472-571a36dbb459)? This doesn’t happen automatically when moving from sandbox to INT, and is a common cause of exactly this kind of 401 with no response body.

Thanks,

George

8

Here’s the full headers:

{"Accept":"application/fhir+json","Content-Type":"application/fhir+json","authorization":"Bearer zT6NCTflzURLSirZfoS80e903YLG","x-correlation-id":"25627c78-d848-4af7-b0a6-c5bb3f0f3f7e","User-Agent":"axios/1.13.2","Content-Length":"407","Accept-Encoding":"gzip, compress, deflate, br"}

And body

{“resourceType”:“Parameters”,“meta”:{“profile”:[“``https://fhir.nhs.uk/STU3/StructureDefinition/eRS-FetchWorklist-Parameters-1"]},“parameter”:[{“name”:“listType”,“valueCodeableConcept”:{“coding”:[{“system”:“https://fhir.nhs.uk/STU3/CodeSystem/eRS-ReferralListSelector-1”,“code”:“REFERRALS_FOR_REVIEW”}]}},{“name”:“service”,“valueIdentifier”:{“system”:“http://fhir.nhs.net/Id/ers-service”,“value”:"6711327”``}}]}

I’d not added the JSON key to the application in the onboarding site, I have now but no change even after waiting a little while.

I’ve just emailed in the details of our app id and public key URL.
For what it’s worth the docs at https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-3-register-your-public-key-with-us say to only contact for production access.

9

There are no problems I can see with the Headers and Body, I think for now it is best to wait to hear what the partners come back with. Apologies for the inconvenience caused.

10

Hi both, I’ve checked the application 476f2265-5f93-4379-8472-571a36dbb459 and it is set up correctly for e-RS - Application-restricted. I can also confirm the ASID linked has the latest e-RS interactions.

11

I think I may have had the wrong iss/sub in the JWT payload sent to https://int.api.service.nhs.uk/oauth2 to get a bearer token. I’ve re-copied from the developer portal, and things are a lot healthier.
Thanks for helping to rule out a bunch of other things.

Is the security modal going to be the same for live, so once we’ve completed the onboarding all we need from a partner trust is their eRS service ID to retrieve work lists ?

12

Essentially the model is the same in INT as it is for PROD -its a live like environment.

Once a supplier is live they provide new applications for PROD - if you’re healthcare work AND application restricted then this is x2 applications. For application restricted there is a further governance form to complete - and we utilise the ODS code of the connecting NHS Trust, as well as a smartcard associated with that Trust. This means that only referrals associated within this org, an important protective measure. But you’d follow the same pattern if you are using the worklist endpoint.

A little more on assurance section 3.1 https://digital.nhs.uk/services/e-referral-service/api/integration-process/stage-3-assure

Relevant to your use case if you’re application restricted is

“In order to use this endpoint you must be an authenticated e-RS calling application, working in the context of a Service Provider Organisation.

Supported Worklists:

  • Referrals for Review

  • Appointment Slot Issues

The Service filter is mandatory when using this security pattern.

This endpoint must only be used to retrieve the worklist for a given service up to two times per day. If this does not meet your requirements, please contact us to discuss your use case.

If a worklist response exceeds 10MB, a successful response will not be returned. This is due to the size limitation on the APIM platform.”