Authentication
These API standards are application-restricted, meaning:
In particular, these API standards use TLS-MA authentication.
For more details on authentication, see application-restricted APIs.
Even though these API standards do not technically require the end user to be authenticated, a condition of onboarding is that the calling application must:
- authenticate the end user locally
- use local role-based access controls to authorise the end user
The calling application must ensure that:
-
the patient’s identity is verified against the Personal Demographics Service
-
the healthcare worker is authenticated via smartcard or modern alternative
-
the healthcare worker has the appropriate RBAC permissions to access the patient’s SCR
-
a legitimate relationship or the equivalent must exist between the healthcare worker and the patient
For more details, see Information governance for Summary Care Records.
Authorisation
For some activities, the end user must be authorised to perform that activity.
These API standards do not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.
For more details see our national Role Based Access Control (RBAC) database on the registration authorities key documents page.