Security and authorisation
Security
Access to the GP Connect APIs is controlled and protected by the Spine Secure Proxy (SSP), a forward HTTP proxy.
It provides a single security point for both authentication and authorisation for consuming systems. Additional responsibilities include auditing of requests, checking data sharing agreements and transaction logging.
All HTTP communications are secured using TLS MA. This includes both legs of the request, from consumer system to the proxy and then from the proxy to provider system.
Authorisation
Authorisation takes place in two locations:
- the consumer system
- the SSP
The consumer system must have local RBAC in place and restrict GP Connect APIs to authorised users. With each request, a JSON Web Token (JWT) must be included with the following information:
- details of users, including role
- where smartcards are used in the consumer system, including SDS user and role IDs
- details of the consumer system
- details of the consumer’s organisation, including ODS code
The information in the JWT is retained for audit purposes.
The SSP checks data-sharing agreements to ensure that the consumer system is authorised to communicate with the provider system.
Onboarding
Expressing an interest
If you meet the prerequisites and have a product that can integrate with GP Connect, you should express an interest with us by submitting a use case.
The main purpose of the use case is to help us understand how you plan to use GP Connect APIs and the business issue you are looking to address. You should email your use case to us at gpconnect@nhs.net.
Your use case should include the following information as a minimum:
- the business problem you are intending to solve using GP Connect
- how GP Connect will be used in practice to benefit patients and staff
- which of the GP Connect products you will use to benefit patients and staff
- any end user organisations you are currently working with
- who your clinical safety officer is
Once we receive your use case, we'll respond within 14 days.
Consumer assurance process
Once we approve your use case, we support you through the assurance process to go live. We will discuss the assurance process and artefacts with you to help you understand our requirements.

Start your development work within 6 months of use case approval. If you miss this date, a review or new submission of the use case will be required. Changes or additional development will also require a review or new use case submission.
Last edited: 24 October 2022 3:31 pm