Versioning of Appointment resources
In order to prevent any loss of data, Appointment resources are protected against concurrency problems, as described in the FHIR standard. The use of a version identifier for each resource prevents that resource being a newer version of that resource being unwittingly overwritten as per the FHIR Standard.
Use of the SSP and associated HTTP Headers
All calls to Provider systems are made through the Spine Secure Proxy (SSP). This gives a number of benefits:
- It allows Provider systems to only allow inbound connections from a known address (i.e. the SSP), and also means that Consumer systems only need to make connections to a single network address.
- It simplifies the setup of TLS/MA (Transport Level Security with Mutual Authentication) so each system (Consumer and Provider) only needs to be authenticated to the SSP.
It does however require some minor additional overhead:
- The URL of the SSP MUST be concatenated with the Provider system URL.
- Custom HTTP headers MUST be included in all requests to Provider systems.
Concatenating the URLs
The actual URL of the SSP will depend on the environment in use, therefore an artificial URL will be used here for demonstration purposes.
Example SSP URL:
https://testspineproxy.nhs.uk/
Example Provider URL being called:
https://provider.nhs.uk/STU3/Appointment/
The concatenated URL would be:
https://testspineproxy.nhs.uk/https://provider.nhs.uk/STU3/Appointment/
Consumers MUST take care to ensure that one and only one ’/’ character is included between the SSP URL and the Provider URL.
HTTP Headers
The following http headers are required by the SSP. NB These are in addition to the JWT required in an Authorization header as described elsewhere.
| Key | Value | Description |
|---|---|---|
| Ssp-TraceID | A UUID | A traceable Identifier which can later be used at both Consumer and Provider to trace back to this request. This UUID SHOULD be unique to either the individual http request being made, but at a minimum MUST be unique to the Patient call being handled. |
| Ssp-From | An ASID | The ASID value which has been assigned by NHS Digital to the Consumer system. |
| Ssp-To | An ASID | The ASID value of the Provider system being called. |
| Ssp-InteractionID | One of the Interaction IDs shown below. | The Interaction ID retrieved from SDS and described below. |
Interaction IDs
| Value | Description and usage |
|---|---|
urn:nhs:names:services:careconnect:fhir:rest:read:metadata |
Used when sending a request through the SSP to a Provider system to retrieve the CapabilityStatement resource, which describes the server’s capabilities. |
urn:nhs:names:services:careconnect:fhir:rest:search:slot |
Used when requesting available Slots from a Provider system. |
urn:nhs:names:services:careconnect:fhir:rest:create:appointment |
Used when POSTing a new Appointment resource to a Provider in order to book an appointment. |
urn:nhs:names:services:careconnect:fhir:rest:search:appointment |
Used when searching the Registry for Appointments for a specific Patient. |
urn:nhs:names:services:careconnect:fhir:rest:read:appointment |
Used when reading an existing Appointment. |
urn:nhs:names:services:careconnect:fhir:rest:update:appointment |
Used when updating an existing appointment, for example when setting it to Cancelled. |
Provider Demonstrator
To support development, a synthetic Provider system has been created. This allows development to proceed without being tightly coupled to the timescales of another system supplier.
Validating resources
Guidance for validating FHIR resources used in this specification can be found at this site.
JWT utilities
Once a JWT has been created, there are a couple of useful public resources for decoding them, jwt.io is useful, however Jwt.ms is slightly more user friendly.
