Skip to main content

NHS App API

Engage with users of the NHS App.

Page content

Overview

Use this API to engage with users of the NHS App - a simple and secure way for patients registered with a GP surgery in England to access a range of services on their smartphone or tablet.

You can:

  • send in-app messages to specific users of the NHS App
  • send native Apple or Android push notifications to mobile devices registered by specific users of the NHS App

Who can use this API

To use this API, you must integrate with the NHS App.

Contact us before you begin any development work with this API, even if your service is already integrated.

API status and roadmap

This API is in private beta, meaning:

  • we might make breaking changes, but only if we cannot avoid it, and we'll give advance notice
  • we cannot guarantee availability or performance

To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.

If you have any queries, please contact us.

Technology

This API:

  • is RESTful
  • conforms to the FHIR global standard for health care data exchange
  • aligns with FHIR UK Core (which is built on FHIR Release 4)

Specific rules for FHIR APIs

FHIR APIs are RESTful APIs that follow specific rules. In particular:

  • resource names are capitalised and singular, for example /CommunicationRequest not /communicationRequests

  • array names are singular, for example recipient not recipients for communication recipients

  • data items that are country-specific and thus not included in the FHIR global base resources are usually wrapped in an extension object

There are libraries and SDKs available to help with FHIR integration.

Network access

This API is available on the internet, and, indirectly, on the Health and Social Care Network (HSCN).

For more details see Network access for APIs.

Authorisation

This API is application-restricted, meaning we authenticate the calling application but not the end user. In particular, the three FHIR CommunicationRequest endpoints use signed JWT authentication - you authenticate your application by sending a signed JSON web token (JWT) to our OAuth 2.0 authorisation server. For more details see Application-restricted RESTful APIs - signed JWT authentication.

After following these steps to create an application and register the public key, the App ID should be provided to the NHS App onboarding team to grant your application permissions to the features that are appropriate to your use cases. If this step is not completed, all calls to this API will return responses with status code 403 Forbidden.

Environments and testing

API Environment NHS Login Environment Base URL
Development Sandpit https://dev.api.service.nhs.uk/nhs-app/
Integration Testing Integration (AOS) https://int.api.service.nhs.uk/nhs-app/
Production Production https://api.service.nhs.uk/nhs-app/

Development

Our development environment:

  • includes authorisation
  • is for initial development and integration testing
  • points to the Onboarding Sandpit NHS App environment, which in turn is using the NHS Login Sandpit environment

We have created a Postman collection during internal development and testing of the API, which you may find useful when working with this environment.

Developers working with C# may also be interested in the integration tests that we have developed for the API, which make use of the fire.ly .NET SDK.

Integration testing

Our integration test environment:

  • includes authorisation
  • is for formal release testing and assurance when onboarding with NHS Login
  • points to the Onboarding AOS NHS App environment, which in turn is using the NHS Login Integration (AOS) environment

For more details see integration testing with our RESTful APIs.

Onboarding

You need to get your product or service approved by us before you can use this API. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.

Services not yet integrated

If your service is not yet integrated with the NHS App, you will need to follow our step by step process to onboard with us.

Integrated services

If your service is already integrated, and you now want to add notifications and messaging to your integration, you will need to take some extra steps before you can use this API. Explore notifications and messaging in the NHS App for guidelines and restrictions, and the documents you will need to complete.

To onboard for this API, please get in touch with the NHS App onboarding team at app.onboarding@nhs.net.

Endpoints: Communication

Send an in-app message

post 
/communication/in-app/FHIR/R4/CommunicationRequest

Overview

Use this endpoint to send an in-app message to one or more NHS App users.

Recipients are specified by NHS number. A single request to this endpoint can send an identical message to between 1 and 100 distinct NHS numbers. In-app messages will only be sent to users who have had their identity verified to 'high' (P9) level.

We support a subset of Markdown for describing the body text of in-app messages. The length of each in-app message is limited to 5000 characters, including any markdown characters and embedded hyperlinks.

The body of requests made to this endpoint are instances of HL7 FHIR R4 CommunicationRequest resources. This schema documentation describes which fields on that resource we require and support. The API is tolerant of (but will silently ignore) any additionally supplied optional fields. For example, we do not currently honour the doNotPerform or priority fields.

Request

Headers
Name Description
Authorization

String (^Bearer\ [[:ascii:]]+$)

An OAuth 2.0 bearer token.

Example: Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM

Required
X-Correlation-ID

String

A unique message identifier. We use this to trace the message if you raise an issue with our helpdesk.

If provided, we recommend a GUID for uniqueness and convenience.

This is mirrored back in the response headers.

Example: b5bc6879-103e-4a78-975e-87e815c5da58

Body
Required

Content type: application/json

Example

Sending an in-app message

Schema

Name Description
object

Communication request to send a in-app message
resourceType
string
required

FHIR Resource Type - this must be CommunicationRequest.
identifier
array

An optional array of identifiers used to identify this request for later analysis.

We have defined the following two systems for identifiers that will be stored with the request:

  • Campaign ID - denoted by system https://fhir.nhs.uk/NHSApp/campaign-id . This is an optional campaign identifier, used for later identification of a group of multiple communication requests. For example, this could be used to identify all messages that pertain to invitations for a particular vaccination programme.
  • Request Reference - denoted by system https://fhir.nhs.uk/NHSApp/request-id . This is an optional request identifier, used for later identification of a specific request.

Note that these identifier system names are case-sensitive. The values provided for each of these two identifiers are limited to 50 characters, and must not match the regular expression <(.|\n)*?>. No more than one campaign ID and one request reference can be supplied with each request.

The API will not reject requests that contain other identifier systems, but these values will be ignored and not recorded against the request.

When a CommunicationRequest resource is returned in the response body to a successful request, this array will also include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986. This is the same logical ID contained within the Location header of the successful response.
object
system
string uri

The namespace for the identifier value

Example: https://fhir.nhs.uk/NHSApp/campaign-id
value
string

The value of the identifier

Example: Optional campaign ID
status
string
required

Request Status of the message. This must always be active (case-sensitive).

Default: active
payload
array
required

The body text of the message to be displayed in the NHS App
object
contentString
string
required

The body text of the message to be displayed in the NHS App. We support a subset of Markdown for in-app messages.

Currently supported Markdown syntax:

  • Emphasis

    • Bold text **Bold**

  • Headings

    • Heading 2 ## Heading 2

    • Heading 3 ### Heading 3

  • Lists

    • Bullet list:

      * Item1

      * Item2

      * Item3

  • Ordered lists

    1. Item1

    2. Item2

    3. Item3

  • Links with text [Link text](https://en.wikipedia.org/wiki/Markdown)

  • Links with title [Link text](https://en.wikipedia.org/wiki/Markdown, "Title text")

  • Images ![NHS Logo](https://assets.nhs.uk/images/nhs-logo.png)

  • Line break, two or more spaces followed by return

    Forcing a line-break   <--(two spaces)
    Next line

Pattern: must not match <(.|\n)*?>
Max length: 5000
Example: You have a new appointment, please confirm you can attend. Open the Onboarded Third Party appointment here https://www.nhsapp.service.nhs.uk/appointments/hospital-appointments
sender
object
required

The sender of the in-app message.
display
string
required

The name to be displayed in the NHS App as the sender of the message. The NHS App user interface will group together messages sent from the same sender name into a single thread of messages.

Pattern: must not match <(.|\n)*?>
Max length: 50
Example: Onboarded Third Party
recipient
array
required

An array of NHS numbers corresponding to the patient(s) to whom this in-app message should be sent. Each communication may be sent to between 1 and 100 distinct NHS numbers. The communication request will be rejected if any duplicated values exist in this array.

Max items: 100
Min items: 1
object
type
string

FHIR resource type that the reference refers to. This should be Patient.

Example: Patient
identifier
object

Identifier of a recipient. This should be an NHS number.
system
string uri
required

The system that the identifier belongs to. This should be https://fhir.nhs.uk/Id/nhs-number

Default: https://fhir.nhs.uk/Id/nhs-number
value
string
required

The patient's NHS number. The primary identifier of a patient, unique within NHS England and Wales. Always 10 digits and must be a valid NHS number.

Pattern: ^\d{10}$
Example: 9903002157

Response

HTTP status: 201

Request successfully received by the server and queued for sending to recipients.

Headers
Name Description
Location

String

The location of the newly-created resource.
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Communication response body for a successful in-app message request.
resourceType
string

FHIR Resource Type - this will be CommunicationRequest.
identifier
array

An array of identifiers used to identify this request.

This array will always include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986.

It will include optional identifiers that were provided in the request if the API recognised the identifier system name.
object
system
string uri

The namespace of the identifier value.

Example: urn:ietf:rfc:3986
value
string

The value of the identifier.

Example: 8f7ec136-66eb-4a9e-97ca-5c7a53d2710c
status
string

Request Status of the message - this will be active.
payload
array

The body text of the message to be displayed in the NHS App.
object
contentString
string

The body text of the message to be displayed in the NHS App.

Example: You have a new appointment, please confirm you can attend. Open the Onboarded Third Party appointment [here](https://www.nhsapp.service.nhs.uk/appointments/hospital-appointments)
sender
object

The sender of the in-app message.
display
string

The name to be displayed in the NHS App as the sender of the message.

Example: Onboarded Third Party
recipient
array

An array of NHS numbers corresponding to the patient(s) to whom this in-app message was sent.
object
identifier
object

Identifier of a recipient. This will be an NHS number.
system
string uri

The system that the identifier belongs to. This will be https://fhir.nhs.uk/Id/nhs-number.

Default: https://fhir.nhs.uk/Id/nhs-number
value
string

The patient's NHS number.

Pattern: ^\d{10}$
Example: 9903002157
HTTP status: 400

There is an error in your request.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid resource type

Payload body text exceeds maximum length

No recipients have been specified

A recipient has an invalid NHS number

Multiple issues - sender name is missing and campaign ID exceed maximum length

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 401

Authorisation issue, for example a missing or expired bearer token.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid Access Token

Expired Access Token

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 403

You are not authorised to perform this operation. For example, some onboarded client applications may be permitted to send Push Notifications but not In-app Messages, or vice versa.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 429

You have exceeded your application's rate limit or the API is currently receiving a high volume of requests.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Your application has exceeded its quota

Your application has created a spike in traffic

API is receiving a high volume of requests

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display

Send an in-app message and push notification

post 
/communication/in-app-with-notification/FHIR/R4/CommunicationRequest

Overview

Use this endpoint to send an in-app message followed by an associated native Apple or Android push notification to one or more NHS App users.

Push notifications will not be sent to users between the hours of 10pm and 6am UK time. If a valid request to send an in-app message with an associated push notification is processed between these hours, the in-app message will be delivered immediately, and the push notification will be scheduled for delivery at 6am.

Recipients are specified by NHS number. A single request to this endpoint can send an identical message and push notification to between 1 and 100 distinct NHS numbers. In-app messages and push notifications will only be sent to users who have had their identity verified to 'high' (P9) level.

If a recipient is an active NHS App user but has not registered a device to receive native push notifications, they will still receive the in-app message.

This endpoint allows you to specify the content that will appear in the in-app message. It does not allow you to specify the content that will appear in the associated push notification. By default the content of the associated push notification will read "You have a new message. This may contain important information.". To discuss changing this standard push notification content for your application, contact the NHS App team.

We are considering making an enhancement to allow the sender name of the in-app message content to be dynamically included in the content of the associated push notification. This may be of benefit if your application sends communications on behalf of several NHS organisations. You can track, comment, and vote for this feature on our interactive product backlog.

When a recipient taps the native notification, the NHS App will open on the in-app messaging inbox page.

We support a subset of Markdown for describing the body text of in-app messages. The length of each in-app message is limited to 5000 characters, including any markdown characters and embedded hyperlinks.

The body of requests made to this endpoint are instances of HL7 FHIR R4 CommunicationRequest resources. This schema documentation describes which fields on that resource we require and support. The API is tolerant of (but will silently ignore) any additionally supplied optional fields. For example, we do not currently honour the doNotPerform or priority fields.

Request

Headers
Name Description
Authorization

String (^Bearer\ [[:ascii:]]+$)

An OAuth 2.0 bearer token.

Example: Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM

Required
X-Correlation-ID

String

A unique message identifier. We use this to trace the message if you raise an issue with our helpdesk.

If provided, we recommend a GUID for uniqueness and convenience.

This is mirrored back in the response headers.

Example: b5bc6879-103e-4a78-975e-87e815c5da58

Body
Required

Content type: application/json

Example

Sending in app messages and push notifications

Schema

Name Description
object

Communication request for Sending an in-app message together with an associated push notification
resourceType
string
required

FHIR Resource Type - this must be CommunicationRequest.
identifier
array

An optional array of identifiers used to identify this request for later analysis.

We have defined the following two systems for identifiers that will be stored with the request:

  • Campaign ID - denoted by system https://fhir.nhs.uk/NHSApp/campaign-id . This is an optional campaign identifier, used for later identification of a group of multiple communication requests. For example, this could be used to identify all messages that pertain to invitations for a particular vaccination programme.
  • Request Reference - denoted by system https://fhir.nhs.uk/NHSApp/request-id . This is an optional request identifier, used for later identification of a specific request.

Note that these identifier system names are case-sensitive. The values provided for each of these two identifiers are limited to 50 characters, and must not match the regular expression <(.|\n)*?>. No more than one campaign ID and one request reference can be supplied with each request.

The API will not reject requests that contain other identifier systems, but these values will be ignored and not recorded against the request.

When a CommunicationRequest resource is returned in the response body to a successful request, this array will also include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986. This is the same logical ID contained within the Location header of the successful response.
object
system
string uri

The namespace for the identifier value

Example: https://fhir.nhs.uk/NHSApp/campaign-id
value
string

The value of the identifier

Example: Optional campaign ID
status
string
required

Request Status of the message. This must always be active (case-sensitive).

Default: active
payload
array
required

The body text of the message to be displayed in the NHS App
object
contentString
string
required

The body text of the message to be displayed in the NHS App. We support a subset of Markdown for in-app messages.

Currently supported Markdown syntax:

  • Emphasis

    • Bold text **Bold**

  • Headings

    • Heading 2 ## Heading 2

    • Heading 3 ### Heading 3

  • Lists

    • Bullet list:

      * Item1

      * Item2

      * Item3

  • Ordered lists

    1. Item1

    2. Item2

    3. Item3

  • Links with text [Link text](https://en.wikipedia.org/wiki/Markdown)

  • Links with title [Link text](https://en.wikipedia.org/wiki/Markdown, "Title text")

  • Images ![NHS Logo](https://assets.nhs.uk/images/nhs-logo.png)

  • Line break, two or more spaces followed by return

    Forcing a line-break   <--(two spaces)
    Next line

Pattern: must not match <(.|\n)*?>
Max length: 5000
Example: You have a new appointment, please confirm you can attend. Open the Onboarded Third Party appointment here https://www.nhsapp.service.nhs.uk/appointments/hospital-appointments
sender
object
required

The sender of the in-app message.
display
string
required

The name to be displayed in the NHS App as the sender of the message. The NHS App user interface will group together messages sent from the same sender name into a single thread of messages.

Pattern: must not match <(.|\n)*?>
Max length: 50
Example: Onboarded Third Party
recipient
array
required

An array of NHS numbers corresponding to the patient(s) to whom this in-app message and push notification should be sent. Each communication may be sent to between 1 and 100 distinct NHS numbers. The communication request will be rejected if any duplicated values exist in this array.

Max items: 100
Min items: 1
object
type
string

FHIR resource type that the reference refers to. This should be Patient.

Example: Patient
identifier
object

Identifier of a recipient. This should be an NHS number.
system
string uri
required

The system that the identifier belongs to. This should be https://fhir.nhs.uk/Id/nhs-number

Default: https://fhir.nhs.uk/Id/nhs-number
value
string
required

The patient's NHS number. The primary identifier of a patient, unique within NHS England and Wales. Always 10 digits and must be a valid NHS number.

Pattern: ^\d{10}$
Example: 9903002157

Response

HTTP status: 201

Request successfully received by the server and queued for sending to recipients.

Headers
Name Description
Location

String

The location of the newly-created resource.
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Communication response body for a successful in-app message together with an associated push notification.
resourceType
string

FHIR Resource Type - this will be CommunicationRequest.
identifier
array

An array of identifiers used to identify this request.

This array will always include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986.

It will include optional identifiers that were provided in the request if the API recognised the identifier system name.
object
system
string uri

The namespace of the identifier value.

Example: urn:ietf:rfc:3986
value
string

The value of the identifier.

Example: 58dccb28-671f-4237-8095-e80cf54861e1
status
string

Request Status of the message - this will be active.
payload
array

The body text of the message to be displayed in the NHS App.
object
contentString
string

The body text of the message to be displayed in the NHS App.

Example: You have a new appointment, please confirm you can attend. Open the Onboarded Third Party appointment [here](https://www.nhsapp.service.nhs.uk/appointments/hospital-appointments)
sender
object

The sender of the in-app message.
display
string

The name to be displayed in the NHS App as the sender of the message.

Example: Onboarded Third Party
recipient
array

An array of NHS numbers corresponding to the patient(s) to whom this in-app message and push notification was sent.
object
identifier
object

Identifier of a recipient. This will be an NHS number.
system
string uri

The system that the identifier belongs to. This will be https://fhir.nhs.uk/Id/nhs-number.

Default: https://fhir.nhs.uk/Id/nhs-number
value
string

The patient's NHS number.

Pattern: ^\d{10}$
Example: 9903002157
HTTP status: 400

There is an error in your request.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid resource type

Payload body text exceeds maximum length

No recipients have been specified

A recipient has an invalid NHS number

Multiple issues - sender name is missing and campaign ID exceed maximum length

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 401

Authorisation issue, for example a missing or expired bearer token.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid Access Token

Expired Access Token

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 403

You are not authorised to perform this operation. For example, some onboarded client applications may be permitted to send Push Notifications but not In-app Messages, or vice versa.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Application is not permitted to send in-app messages

Application is not permitted to send push notifications

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 429

You have exceeded your application's rate limit or the API is currently receiving a high volume of requests.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Your application has exceeded its quota

Your application has created a spike in traffic

API is receiving a high volume of requests

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display

Send a push notification

post 
/communication/notification/FHIR/R4/CommunicationRequest

Overview

Use this endpoint to send a native Apple or Android push notifications to mobile devices registered by specific users of the NHS App.

Push notifications will not be sent to users between the hours of 10pm and 6am UK time. If a valid request to send a push notification is processed between these hours, the push notification will be scheduled for delivery at 6am.

Recipients are specified by NHS number. A single request to this endpoint can send an identical push notification to between 1 and 100 distinct NHS numbers. Push notifications will only be sent to users who have had their identity verified to 'high' (P9) level.

The body text of notifications can be up to 200 characters in length.

They must not contain

  • personally identifiable information (for example:the name of a user's doctor)
  • sensitive information (for example:details about a health condition)
  • links to external websites

You can also optionally specify a URL for a page within the NHS App to be opened when the recipient taps on the push notification. If a URL is not specified, the NHS App will open on the home page.

The body of requests made to this endpoint are instances of HL7 FHIR R4 CommunicationRequest resources. This schema documentation describes which fields on that resource we require and support. The API is tolerant of (but will silently ignore) any additionally supplied optional fields. For example, we do not currently honour the doNotPerform or priority fields.

Request

Headers
Name Description
Authorization

String (^Bearer\ [[:ascii:]]+$)

An OAuth 2.0 bearer token.

Example: Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM

Required
X-Correlation-ID

String

A unique message identifier. We use this to trace the message if you raise an issue with our helpdesk.

If provided, we recommend a GUID for uniqueness and convenience.

This is mirrored back in the response headers.

Example: b5bc6879-103e-4a78-975e-87e815c5da58

Body
Required

Content type: application/fhir+json

Example

Sending a push notification

Schema

Name Description
object

Communication request for sending a push notification
resourceType
string
required

FHIR Resource Type - this must be CommunicationRequest.
identifier
array

An optional array of identifiers used to identify this request for later analysis.

We have defined the following two systems for identifiers that will be stored with the request:

  • Campaign ID - denoted by system https://fhir.nhs.uk/NHSApp/campaign-id . This is an optional campaign identifier, used for later identification of a group of multiple communication requests. For example, this could be used to identify all messages that pertain to invitations for a particular vaccination programme.
  • Request Reference - denoted by system https://fhir.nhs.uk/NHSApp/request-id . This is an optional request identifier, used for later identification of a specific request.

Note that these identifier system names are case-sensitive. The values provided for each of these two identifiers are limited to 50 characters, and must not match the regular expression <(.|\n)*?>. No more than one campaign ID and one request reference can be supplied with each request.

The API will not reject requests that contain other identifier systems, but these values will be ignored and not recorded against the request.

When a CommunicationRequest resource is returned in the response body to a successful request, this array will also include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986. This is the same logical ID contained within the Location header of the successful response.
object
system
string uri

The namespace for the identifier value

Example: https://fhir.nhs.uk/NHSApp/campaign-id
value
string

The value of the identifier

Example: Optional campaign ID
status
string
required

Request Status of the message. This must always be active (case-sensitive).

Default: active
payload
array
required

The body text to be displayed in the push notification.
object
contentReference
object
required

Structure of body text in the push notification.
reference
string url
required

The URL to a page within the NHS App to be opened when the notification is tapped. If this property is not specified, the App will open on the home screen.

Max length: 1000
Example: https://www.nhsapp.service.nhs.uk/patient/messages/app-messaging
display
string
required

The communication content to appear as a native Apple or Android push notification. Notifications must use unicode characters. They must not contain * personally identifiable information (for example:the name of a user's doctor) * sensitive information (for example:details about a health condition) * links to external websites Notifications can only link to pages and features within the NHS App.

Max length: 200
Example: You have a new message. The message may contain something important.
recipient
array
required

An array of NHS numbers corresponding to the patient(s) to whom this push notification should be sent. Each communication may be sent to between 1 and 100 distinct NHS numbers. The communication request will be rejected if any duplicated values exist in this array.

Max items: 100
Min items: 1
object
type
string

FHIR resource type that the reference refers to. This should be Patient.

Example: Patient
identifier
object

Identifier of a recipient. This should be an NHS number.
system
string uri
required

The system that the identifier belongs to. This should be https://fhir.nhs.uk/Id/nhs-number

Default: https://fhir.nhs.uk/Id/nhs-number
value
string
required

The patient's NHS number. The primary identifier of a patient, unique within NHS England and Wales. Always 10 digits and must be a valid NHS number.

Pattern: ^\d{10}$
Example: 9903002157

Response

HTTP status: 201

Request successfully received by the server and queued for sending to recipients.

Headers
Name Description
Location

String

The location of the newly-created resource.
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Communication response body from a successful push notification request.
resourceType
string

FHIR Resource Type - this will be CommunicationRequest.
identifier
array

An array of identifiers used to identify this request.

This array will always include a globally unique identifier assigned by the API, with the system urn:ietf:rfc:3986.

It will include optional identifiers that were provided in the request if the API recognised the identifier system name.
object
system
string uri

The namespace of the identifier value.

Example: urn:ietf:rfc:3986
value
string

The value of the identifier.

Example: 54615138-df34-4a79-840d-dd07e9451519
status
string

Request Status of the message - this will be active
payload
array

The body text to be displayed in the push notification.
object
contentReference
object

Structure of body text in the push notification.
reference
string url

The URL to a page within the NHS App to be opened when the notification is tapped.

Example: https://www.nhsapp.service.nhs.uk/patient/messages/app-messaging
display
string

The communication content to appear as a native Apple or Android push notification.

Example: You have a new message. The message may contain something important.
recipient
array

An array of NHS numbers corresponding to the patient(s) to whom this push notification was sent.
object
identifier
object

Identifier of a recipient. This will be an NHS number.
system
string uri

The system that the identifier belongs to. This will be https://fhir.nhs.uk/Id/nhs-number.

Default: https://fhir.nhs.uk/Id/nhs-number
value
string

The patient's NHS number.

Pattern: ^\d{10}$
Example: 9903002157
HTTP status: 400

There is an error in your request.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid resource type

Payload body text exceeds maximum length

No recipients have been specified

A recipient has an invalid NHS number

Multiple issues - sender name is missing and campaign ID exceed maximum length

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 401

Authorisation issue, for example a missing or expired bearer token.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid Access Token

Expired Access Token

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 403

You are not authorised to perform this operation. For example, some onboarded client applications may be permitted to send Push Notifications but not In-app Messages, or vice versa.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 429

You have exceeded your application's rate limit or the API is currently receiving a high volume of requests.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Your application has exceeded its quota

Your application has created a spike in traffic

API is receiving a high volume of requests

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display

Get a daily communication event report

get 
/communication/report/events

Overview

Use this endpoint to get a daily report of events relating to in-app messages and push notifications that you have previously sent to NHS App users.

An event will be included in this report detailing the outcome of attempting to send each communication to each individual recipient, for each channel (push notification or in-app message). Additionally, for in-app messages only, an event will be included in this report if and when the recipient reads the message.

The information provided by this endpoint is generated by a daily batch process. Note that events in the report may pertain to communication requests that were submitted on earlier days.

Pagination

To avoid returning excessively large response bodies, the results may be split across multiple pages. On retrieving the response for the first page of results, the Link header should be inspected to determine whether any additional pages of results exist. If so, these can be retrieved by making additional request(s) with the optional page parameter specified.

Request

Query parameters
Name Description
day

date (date)

The day for which to retrieve an event report.

Example: 2021-08-25

Required
page

Integer (int32)

The ordinal number of the page of results to be retrieved. If omitted, the first page of results will be returned. Use the Link header in the response to determine whether any further pages of results exist.

Example: 2

Headers
Name Description
Authorization

String (^Bearer\ [[:ascii:]]+$)

An OAuth 2.0 bearer token.

Example: Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM

Required
X-Correlation-ID

String

A unique message identifier. We use this to trace the message if you raise an issue with our helpdesk.

If provided, we recommend a GUID for uniqueness and convenience.

This is mirrored back in the response headers.

Example: b5bc6879-103e-4a78-975e-87e815c5da58

Response

HTTP status: 200

Information successfully returned.

Headers
Name Description
Link

String

Comma-separated links to the last page and (if applicable) next page of paginated results.
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/json

Example

Schema

Name Description
array

An array of events relating to in-app messages and push notifications that you have previously sent to NHS App users.
object

A single event relating to an in-app message or push notification that your have previously sent to an NHS App user.
eventDateTime
string date-time

The UTC datetime at which the event occurred. Note that this may be several days after the datetime at which the communication request was originally made (particularly for in-app message Read events).

Example: 2021-08-21T13:28:58Z
communicationId
string

Globally unique identifier of the original communication request. This corresponds to the identifier returned with system urn:ietf:rfc:3986 when the request was made to send the communication. As each communication request may have been sent to multiple recipients via multiple channels, many events may be returned for each communicationId.

Max length: 36
Example: 5f0b1083-e179-47a7-b274-b30b5052a8f3
campaignId
string
nullable

If the original communication request included an optional Campaign ID denoted by system https://fhir.nhs.uk/NHSApp/campaign-id, it will be returned in this field.

Max length: 50
requestReference
string
nullable

If the original communication request included an optional Request Reference denoted by system https://fhir.nhs.uk/NHSApp/request-id, it will be returned in this field.

Max length: 50
channel
string

Indicates whether this event related to an in-app message or push notification.

Allowed values: AppMessage, PushNotification
nhsNumber
string ^\d{10}$

NHS number of the recipient.

Example: 9903002157
communicationCreatedDateTime
string date-time

The UTC datetime at which the original communication request was received.

Example: 2021-08-05T13:28:52Z
event
string

Indicates the nature of the event being reported, as follows:

  • Cancelled: A request to send a push notification has been abandoned, because an in-app message to which it related Failed.
  • Completed: Processing of the communication has successfully completed for this recipient and channel. For in-app messages this indicates that the message has been delivered to the patient's NHS App messaging inbox. For push notifications it indicates that the messages has been relayed for sending to the Apple or Google Push Notification Service (PNS), or scheduled for sending at 6am if processing occured during the hours of 10pm to 6am (UK time).
  • Failed: Processing of the communication failed abnormally for this recipient and channel. Further information can be found in the eventDetail field.
  • Read: An in-app message has been read for the first time by the recipient.
  • Rejected: A request to send a communication to this recipient has been rejected. This usually occurs when no NHS App user is known with the specified NHS number, or when attempting to send a push notification to an NHS App user who has not enabled push notifications. Further information can be found in the eventDetail field.
Allowed values: Cancelled, Completed, Failed, Read, Rejected
eventDetail
string
nullable

Gives additional information about the event, particularly where the event was Rejected or Failed.

Example: NHS number not found
HTTP status: 400

There is an error in your request.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

No day parameter has been specified

The supplied day parameter is not in the correct format.

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 401

Authorisation issue, for example a missing or expired bearer token.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid Access Token

Expired Access Token

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 403

You are not authorised to perform this operation. Some client applications may not be permitted to access the event report endpoint. To discuss granting your application access to this endpoint, contact the NHS App team.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 429

You have exceeded your application's rate limit or the API is currently receiving a high volume of requests.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Your application has exceeded its quota

Your application has created a spike in traffic

API is receiving a high volume of requests

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display

Get details of NHS App users

get 
/communication/report/patients

Overview

Use this endpoint to get details of patients registered with the NHS App for a given GP surgery, and an indication of whether they have enabled push notifications on one or more devices. The response will only include patients who have had their identity verified to 'high' (P9) level.

Client applications must only invoke this endpoint as agreed with the NHS App team, typically to retrieve details of patients at GP practices where their service is available.

This information can be used by client applications to determine whether it is appropriate to attempt to use the NHS App API to send in-app messages and push notifications to patients, or if alternative communication channels should be used instead.

The information provided by this endpoint is generated by a daily batch process. Client applications should cache and refresh local copies of this data accordingly.

Pagination

To avoid returning excessively large response bodies, the results may be split across multiple pages. On retrieving the response for the first page of results, the Link header should be inspected to determine whether any additional pages of results exist. If so, these can be retrieved by making additional request(s) with the optional page parameter specified.

Request

Query parameters
Name Description
ods-organisation-code

String

The Organisation Data Service (ODS) code of the GP practice for which to retrieve a list of NHS App users. Not case sensitive.

Pattern: /^[A-Za-z]\\d{5}$|^[A-Za-z]\\d[A-Za-z]\\d[A-Za-z]$/

Example: Y00001

Required
page

Integer (int32)

The ordinal number of the page of results to be retrieved. If omitted, the first page of results will be returned. Use the Link header in the response to determine whether any further pages of results exist.

Example: 2

Headers
Name Description
Authorization

String (^Bearer\ [[:ascii:]]+$)

An OAuth 2.0 bearer token.

Example: Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM

Required
X-Correlation-ID

String

A unique message identifier. We use this to trace the message if you raise an issue with our helpdesk.

If provided, we recommend a GUID for uniqueness and convenience.

This is mirrored back in the response headers.

Example: b5bc6879-103e-4a78-975e-87e815c5da58

Response

HTTP status: 200

Information successfully returned.

Headers
Name Description
Link

String

Comma-separated links to the last page and (if applicable) next page of paginated results.
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/json

Example

Schema

Name Description
array

An array of details of patients registered with the NHS App.
object

Details of a single patient registered with the NHS App.
nhsNumber
string ^\d{10}$

The patient's NHS number.

Example: 9903002157
notificationsEnabled
boolean

Indicates whether the patient has enabled native Android or Apple push notifications on at least one device.

Example: true
HTTP status: 400

There is an error in your request.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

No ods-organisation-code parameter has been specified

The supplied ods-organisation-code parameter is not in the correct format.

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 401

Authorisation issue, for example a missing or expired bearer token.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Invalid Access Token

Expired Access Token

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 403

You are not authorised to perform this operation. Some client applications may not be permitted to access the patient report endpoint. To discuss granting your application access to this endpoint, contact the NHS App team.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Example

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display
HTTP status: 429

You have exceeded your application's rate limit or the API is currently receiving a high volume of requests.

Headers
Name Description
X-Correlation-ID

String

The X-Correlation-ID from the request header, if supplied, mirrored back.

Example: 11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA

Body

Content type: application/fhir+json

Examples

Your application has exceeded its quota

Your application has created a spike in traffic

API is receiving a high volume of requests

Schema

Name Description
object

Operation outcome
resourceType
string

FHIR Resource Type.

Default: OperationOutcome
issue
array

List of issues that have occurred.

Min items: 1
object
severity
string
required

Severity of the error.

Allowed values: fatal, error, warning, information
code
string
required

FHIR error code.

Allowed values: expired, forbidden, invalid, processing, security, throttled
diagnostics
string

Additional diagnostic information about the issue.

Example: Not specified
expression
array

FHIRPath of element(s) related to the error.
string
Example: sender.display