NHS CIS Authentication (Spine Security Broker) API

Use this API to verify the identity of healthcare workers in England, such as NHS staff. It provides a single sign-on capability across local and national digital services using physical and virtual smartcards.

This API is also known as the Spine Security Broker (SSB), and is part of the NHS Care Identity Service (CIS).

You can:

• access the Identity Server which serves up SSO Tokens and manages the sessions for users who have been successfully authenticated
• access the Identity Agent on the end user's workstation, which mediates the authentication transaction and serves subsequent user information on demand as part of the application's authorisation process
• access the Client Signing Interface, which provides client-side digital signing functions for the purposes of Content Commitment. This interface primarily uses cryptographic functions that execute on a user’s smart card.

Users can only be authenticated if they are formally registered on the Spine. This includes creating a user profile, stored in the Spine Directory Service (SDS), containing the user’s roles and other information that the Registration Authority or Service deems necessary to make appropriate data access decisions.

This authentication service makes use of smartcards to provide strong authentication for health care workers to control access to national services. It is being replaced by NHS CIS2 Authentication which provides additional authentication methods for scenarios where a smartcard might not be preferred or appropriate.

This API is described fully in the Spine External Interface Specification (EIS). Part 6 has the overview and part 7 the formal API specifications. These are a set of Word documents that provide system developers - architects, designers and builders - with the necessary information to connect to Spine national services.

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development. 

You must have made this request before you can go live (see 'Onboarding' below).

The following APIs are related to this one:

• NHS CIS2 Care Identity Authentication API - use this to verify the identity of healthcare workers in England, such as NHS staff, when they access national clinical information systems. This will replace the Spine Security Broker API eventually.
• Spine Directory Service - FHIR API - use this to access accredited system information and messaging endpoint details in the Spine Directory Service (SDS) using our FHIR-conformant API.
• Spine Directory Service - LDAP API - use this to access details of organisations, people and systems registered in the Spine Directory Service (SDS) using our LDAP API.

This API is in production but deprecated and is due to be retired on 30 September 2023.

If you are developing a new integration, we strongly recommend using the NHS CIS2 Care Identity Authentication API instead.

If you have any concerns, contact us.

This API is a platinum service, meaning:

• it is operational and supported 24 hours a day, 365 days a year
• it has an availability of 99.9% in supported hours

For more details, see service levels.

This API is a SOAP API.

For more details, see Basic SOAP.

You need an HSCN connection to use this API. This is because the client-side Identity Agent component requires HSCN to talk to its server-side counterparts.

For a similar API that is available on the internet, consider NHS CIS2 Care Identity Authentication API.

For more details, see Network access for APIs.

The security and authorisation aspects of this API are explained in detail in the Spine External Interface Specification (EIS) Part 6, specifically sections:

• 6.5 Server-side components
• 6.6 SSB authorisation and authentication limitations
• 6.7 SSB authorisation and authentication storyboard and use cases

You can test this API using our Path to Live environments.

You must get your software onboarded before it can go live.

Contact us before onboarding with this API. It uses the Common Assurance Process (CAP) which is tailored for each NHS service.

For a full list of interactions for this API, see the Spine External Interface Specification (EIS), specifically:

• Part 6 - the overview
• Part 7 - the formal specifications of the Java and C APIs