NHS CIS2 Care Identity Authentication API

Use this API to access NHS Care Identity Service 2 (NHS CIS2) - the national service for verifying the identity of healthcare workers in England, such as NHS staff, when they access national clinical information systems. You can also get basic profile information about these end users.

You can authenticate the healthcare workers using:

• a CIS smartcard - with or without the Credential Management Application
• an iPad 
• a Windows 10 tablet 
• a security key

For further details, see Ways to authenticate using NHS Care Identity Service 2.

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case and Check if NHS CIS2 fits your needs before you go too far with your development.

You must do this before you can go live (see 'Onboarding' below).

The NHS CIS2 Care Identity Authentication API is replacing the following API from our Care Identity Service (CIS):

• Spine Security Broker API - use this API to provide single sign-on for healthcare workers using NHS smartcards

The following API is related to NHS CIS2 Care Identity Authentication API:

• Spine Directory Service - LDAP API - use this API to access details of healthcare workers, including their organisation and roles that are registered in the Spine Directory Service (SDS) using our LDAP API

The following API is similar to NHS CIS2 Care Identity Authentication API:

• NHS login API - use this API to access multiple digital health and social care services with a single login for patients and the public, including authentication for returning users

This API is in production.

This API is a platinum plus service, meaning:

• it is operational and supported 24 x 7 x 365
• it has an availability of 99.99% in supported hours

For more details, see service levels.

This API uses OpenID Connect 1.0 (OIDC) authentication standard which is a simple identity layer on top of the OAuth 2.0 protocol.

For guidance on OIDC 1.0 and how to use it with OAuth 2.0  to verify the identity of users and to obtain their basic profile information, see NHS Care Identity Service 2 guidance for developers. 

This API is available on the internet and, indirectly, on the Health and Social Care Network (HSCN).

To strongly authenticated a healthcare worker using an NHS smartcard, you need an HSCN connection.

For more details see Network access for APIs.

The security model for this API conforms to OpenID Connect 1.0 (OIDC) . 

For security and authentication details, see the guidance on client authentication credentials.

For detailed guidance on NHS CIS2 environments and testing, see the NHS Care Identity Service 2 path to live process.

You need to get your software approved by NHS CIS2 before it can go live with this API. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.

For onboarding with NHS CIS2, follow the guidance available at:

• Apply for NHS CIS2
• Prepare and plan
• Test and integrate
• Go live and support 

The Care Identity Authentication uses OIDC's most commonly used Authorization Code Flow which is designed for use with web applications.

It has the following endpoints:

• Token
• UserInfo
• authorize endpoint
• .well-known endpoint
• jwks endpoint

For further details, see Authorization Code Flow or contact us.