Unauthorised - 401 eRS Document Retrieval

I am receiving a 401 error when trying to retrieve documents associated with appointments in eRS.

CIS2 has been setup and working and using the ID token we call into the developer API platform to get an access token as per https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication

This token is then used as per guidance to call the API e-Referral Service - Application Restricted ( Integration Testing ).

Application has been registered as per https://digital.nhs.uk/services/e-referral-service/api/integration-process/build#2-2-create-and-register-your-application.

Application ID: ff20dedf-6bef-4b83-8455-4cd3bfe5f01a

Can we please get advice on why we get this error and how to proceed.

Hi @jon.goody,

Can you confirm you have completed the “API platform configuration” step under https://digital.nhs.uk/services/e-referral-service/api/integration-process/build#2-2-create-and-register-your-application and had confirmation it has been configured?

@nhserspartners FYI

Regards,

Adam.

Hi @adam.oldfield

Yes this has been followed.
Application ID: ff20dedf-6bef-4b83-8455-4cd3bfe5f01a has all details associated with this.

Regards
Jon

Hi @jon.goody,

I don’t see the ASID, Organisation ODS Code or User ID configured on our side. This is done by @nhserspartners off the back of the email sent in the “API platform configuration” step.

I’m struggling to track down one of your failed requests on our side using your Application ID. Can you provide the X-Correlation-ID of on of your requests so I can trace it?

Thanks,

Adam.

Hi @adam.oldfield

Details below as requested.

ASID: 200000000068
Party Key: RB8-200244

Can you clarify where i can get the X-Correlation-ID from please.

Regards
Jon

X-Correlation-ID for last attempt was: 0B03BC5E-E2F8-11EF-9709-005056B4EE83

API Key is also mEGvQWNBpW4Ha3XfzfhVfGhWvnlZXCIO if this helps

Hi @jon.goody,

I can see a request using X-Correlation-ID 0B03BC5E-E2F8-11EF-9709-005056B4EE83 n the 4/2/2025.

This was rejected with a 401 “Invalid access token”. As this failed authorisation it isn’t getting as far as the e-RS API.

If you need support troubleshooting the token generation flow please contact APIM/API Platform support.

Regards,

Adam.

Thanks @adam.oldfield
Here is another X-Correlation-ID: DDEB6F08-E2F4-11EF-9705-005056B4EE83

I am slightly confused on how this is being classed as invalid access token. We are successfully authenticating with the NHS Developer API which returns this access token. This is then passed onto the eRS API.

Regards
Jon

Hi

In theory all should already be in place but as the respective environments (Intersystems and NHSE INT) are invisible to me, all I can do is ‘do it again’.

I have this morning requested that the App ID is bound to ASID 200000000068 and will update this ticket when it is confirmed back to me that this is complete.

Kind regards

Andrew

Hi @jon.goody,

It looks like the request with that correlation ID has the same issue.

You are best speaking with APIM support where they can help you debug the issue.

@andrew.clayton3 are you able to help put Jon in touch with someone at APIM?

@andrew.clayton3 It doesn’t look like the ASID is bound to the Application, however I don’t think this would cause this specific issue. However would cause an issue later down the line. It looks like Jon is wanting to use application-restricted access so will need the additional properties configuring too.

Regards,

Adam.

@adam.oldfield hi - I have submitted the binding request. As Yeovil is User Restricted in live I have gone down the User Restricted route (and not App Restricted) when going back to INT. I’ll look back through paperwork re App Restricted. Cheers

hi - this binding is complete for User Restricted (Yeovil is User Restricted in the Prod environment)

Hi @andrew.clayton3

We have attempted to run again and still getting a 401 error.

When we connect to the Developer API we get the access token based on CIS2 ID token. So from what i can see this part is working correctly. See JSON payload response from API call:

{“access_token”:“a7BZ0eNUBIFYbSyzDf53ECrmSk65”,“expires_in”:“599”,“token_type”:“Bearer”,“issued_token_type”:“urn:ietf:params:oauth:token-type:access_token”,“refresh_token”:“t39ug2qqxqLBBvdICRA2bBDnDV48783A”,“refresh_token_expires_in”:“43199”,“refresh_count”:“0”}

We then use this access token along with the X-Correlation-ID (sessionId) to call the Referral Service:

image1946×424 15.2 KB

Response:

image1986×250 9.72 KB

From the application:

image958×458 109 KB

The connected services:

Application ID: ff20dedf-6bef-4b83-8455-4cd3bfe5f01a
API Key: mEGvQWNBpW4Ha3XfzfhVfGhWvnlZXCIO

image2080×404 34.8 KB

Would it be best to organise a call to discuss further and help understand what is missing.

Please note this is internal setup and not at Yeovil.

Regards
Jon

Hi @jon.goody,

If you are not using Application Restricted access can you try removing it from the “Connected APIs” associated with your Application?

It may not help but just want to rule it out.

Thanks,

Adam.

Thanks @adam.oldfield

I have removed the application restricted service and retested. Unfortunately I still get same error.

Can we organise a call if possible to establish how we move forward.

Regards
Jon

Hi @adam.oldfield / @andrew.clayton3

I have reviewed the details of our setup and from what i can see it looks correct.

Launch application and authenticate with smartcard using CIS2.

CIS2 OAuth URL:
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare

Get ID Token once authenticated. Then call Developer API exchanging ID Token with access token.

Developer API OAuth2:
URL: https://int.api.service.nhs.uk/oauth2/token

Once access token received from developer API pass onto the eReferral service API.

eReferral Service API:
server is int.api.service.nhs.uk
URL /referrals/FHIR

I have also added an additional service (Booking and Referral FHIR API) to our API just in case it is needed. Can you confirm what is defined below is correct.

image2008×380 33.7 KB

Can you confirm this looks right and what next steps are to establish why 401 errors are still occuring.

Regards
Jon

Hi Jon,

I’m from the API management team and would like to help with your query.

From the steps you have detailed they sound right to me (https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-cis2-separate-authentication-and-authorisation#top)

From our logs I can see successful requests to get the access token, however it appears that when you call e-RS with the access token I cannot see any authentication metadata coming through that indicates you have authenticated with a smart card.

Please let me know your availability, lets try and arrange a teams call to screen share and go through the issue

Kind regards,
Sophie

Hi @sophie.clayton12

Thanks for getting back to me. A call to walk through this sounds perfect. I will need others on the call too.

Available dates and times currently available:

Monday 2-5
Tuesday 9-10:30, 4-5
Wednesday 11-12, 2-5

If you can let me know which ones work for you I can liaise with my colleagues to firm up best option.

Regards
Jon

Hi Jon,

Sounds good! Looking at the timeslots I can do Monday 3-5, Tuesday 4-5 or Wednesday 4-5. Once firmed up with your colleagues, please message me your preferred time and email and I’ll send over an invite.

Kind regards,
Sophie

Thanks @sophie.clayton12

Can we please go for Monday at 3-4. If you send email to me at Jon.goody@intersystems.com I can forward on to the others.

Many thanks
Jon