{"openapi":"3.0.0","info":{"title":"Digital Signature Service API","version":"{VERSION}","contact":{"name":"Digital Signature Service API","url":"https://digital.nhs.uk/developer/help-and-support","email":"api.management@nhs.net"},"description":"## Overview\nUse this API to allow a healthcare worker to digitally sign documents such as prescriptions. This API is part of [Care Identity Service](https://digital.nhs.uk/services/care-identity-service).\n\nThe end user must be strongly authenticated using a [CIS2 authenticator](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators) - either a smartcard or a modern alternative.\nThe authenticator must have a 'very high confidence' assurance level ([AAL3](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators#assurance-levels)).\n\nAlso, at the point of signing, the end user must complete a 'presence check', which might require them to re-authenticate. \n\nYou can sign up to 250 documents at a time.\n\nCurrently, the only approved use case for this API is signing prescriptions. Other use cases might be added in the future.\n\n## Who can use this API\nYou can only use this API for prescribing medications via the Electronic Prescription Service. Other use cases might be introduced in the future.\n\nMake sure you have a [valid use case](https://digital.nhs.uk/services/electronic-prescription-service/guidance-for-suppliers) before you complete your development. You must do this before you can go live.\n\nYou must get approval before you can go live. For more information, see [Onboarding](#overview--onboarding).\n\n## How it works\n\nTo sign prescriptions, use this API alongside one of the following APIs:\n- [EPS FHIR Prescribing API](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-prescribing-api)\n- [Electronic Prescription Service HL7 V3 API](https://digital.nhs.uk/developer/api-catalogue/electronic-prescription-service-hl7-v3)\n\n### Signing prescriptions with the EPS FHIR Prescribing API\n\n1. Ensure the user is authenticated with [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication),\n   using a [CIS2 authenticator](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators) with a 'very high confidence' assurance level\n   ([AAL3](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators#assurance-levels)).\n2. Prepare the prescription(s) for signing, using the [Encode prescription data so it's ready to sign](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-prescribing-api#post-/FHIR/R4/$prepare)\n   operation on the EPS FHIR Prescribing API.\n3. Request signatures for the prescription(s), using the [Request signatures](#post-/signaturerequest) operation on this API.\n4. Redirect the user's browser to the URL we provided in the response.\n5. The user performs a 'presence check' - which might require them to re-authenticate using their CIS2 authenticator.\n6. We redirect the user's browser back to your application using your DSS callback URL (see [Environments and testing](overview--environments-and-testing)).\n7. Get the signed prescription(s) and certificate using the [Get signatures](#get-/signatureresponse/-token-) operation on this API.\n8. Create the prescription(s) in EPS, using the [Create a new prescription](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-prescribing-api#post-/FHIR/R4/$process-message-prescription-order)\n   operation on the EPS FHIR Prescribing API.\n\n### Signing prescriptions with the EPS HL7 V3 API\n\n1. Ensure the user is authenticated with [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication),\n   using a [CIS2 authenticator](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators) with a 'very high confidence' assurance level\n   ([AAL3](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators#assurance-levels)).\n2. Prepare the prescription(s) for signing, by generating an HL7 XML prescription with a SHA256 digest.\n   A typical SHA256 digest looks like this:\n\n    `<SignedInfo xmlns=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"></CanonicalizationMethod><SignatureMethod Algorithm=\\\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\\\"></SignatureMethod><Reference><Transforms><Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"></Transform></Transforms><DigestMethod Algorithm=\\\"http://www.w3.org/2001/04/xmlenc#sha256\\\"></DigestMethod><DigestValue>2IIbxwk4Kwfnb+FdMEIBzDcOySJ7D6z1hpJtes33bMY=</DigestValue></Reference></SignedInfo>`\n    \n3. Request for the prescription(s) to be signed, using the [Request signatures](#post-/signaturerequest) operation on this API.\n4. Redirect the user's browser to the URL we provided in the response.\n5. The user performs a 'presence check' - which might require them to re-authenticate using their CIS2 authenticator.\n6. We redirect the user's browser back to your application using your DSS callback URL (see [Environments and testing](overview--environments-and-testing)).\n7. Get the signed prescription(s) using the [Get signatures](#get-/signatureresponse/-token-) operation on this API.\n8. Create the prescription(s) in EPS:\n    * Insert the signature into the `<SignatureValue>` element of the prescription XML.\n    * Insert the certificate into the `<X509Certificate>` element of the prescription XML.\n    * Send the signed prescription XML to EPS using the [EPS HL7 V3 API](https://digital.nhs.uk/developer/api-catalogue/electronic-prescription-service-hl7-v3).\n\n### Batch signing\nYou can sign up to 250 prescriptions at a time by including multiple payloads in the JWT when you use the [Request signatures](#post-/signaturerequest) operation.\n\nEach payload must have a unique `id` field, which is used to match up the signatures with the prescriptions when you use the [Get signatures](#get-/signatureresponse/-token-) operation.\n\n### Client-side software\nIf the user is authenticating with a smartcard, they need to have driver software installed on their client device. For more details, see [Technology](#overview--technology).\n\n### Local versus remote signing\nIf the user authenticates with a smartcard, documents are signed 'locally' on the client device using the driver software.\nIf the user authenticates via any other method, documents are signed 'remotely' on our server.\nIn the future, we might change the service so that documents are signed remotely for all authenticators, including smartcards.\n\nThe signing method affects how we redirect the user's browser back to your application after the presence check:\n* For local signing, we update the browser's location to redirect back to your application.\n* For remote signing, we send an HTTP 302 response to redirect back to your application.\n\nAll of this is transparent to your application.\n\n### Native applications\nThis API uses CIS2 Authentication for the presence check, which is primarily designed to be used with browser-based applications.\nHowever, it can also be used with native desktop or mobile applications.\nFor more details, see [Native applications](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/integrate/design-and-build/native-applications).\n\n### Dispensing systems and certificates\nPrescriptions signed with this API use two different security certificates:\n* locally signed prescriptions use 'NHS Signing G2'\n* remotely signed prescriptions use 'NHS Signing G2 Level 2'\n\nDispensing systems that use the [EPS HL7 V3 API](https://digital.nhs.uk/developer/api-catalogue/electronic-prescription-service-hl7-v3)\nneed to install both of these certificates in their trust stores, in order to verify signatures on both locally and remotely signed prescriptions.\n\nDispensing systems that use the [EPS FHIR Dispensing API](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-dispensing-api)\ndo not need to install these certificates, as the EPS FHIR API verifies signatures itself.\n\n## Related APIs\nThe following APIs are related to this API:\n* [CIS2 Authentication](https://digital.nhs.uk/developer/api-catalogue/cis2-authentication) - use this integration to authenticate the end user\n* [EPS FHIR Prescribing API](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-prescribing-api) - use this API to send prescriptions electronically once signed by the Digital Signature Service API\n* [EPS FHIR Dispensing API](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-dispensing-api) - use this API to dispense prescriptions\n\n## API status and roadmap\nThis API is in [beta](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#statuses), meaning it's available in production but might still be subject to breaking changes.\n\nFor details of future changes, see [Care Identity Service roadmap](https://digital.nhs.uk/services/care-identity-service/roadmap).\n\n## Technology\nThis API is [RESTful](https://digital.nhs.uk/developer/guides-and-documentation/api-technologies-at-nhs-digital#basic-rest).\n\nIf the user is authenticating with a smartcard, they need to have driver software installed on their client device.\nThis software is required both by CIS2 Authentication and by this API. There are two options:\n* Smartcard Connect - works over the internet (recommended)\n* Credential Management / Identity Agent - limited to [HSCN](#overview--network-access)\n\nFor more details, see [Set up and troubleshoot Credential Management and Smartcard Connect](https://digital.nhs.uk/services/care-identity-service/setting-up-and-troubleshooting/set-up-and-troubleshoot-credential-management-and-smartcard-connect).\n\n## Network access\nThis API is available on the internet and, indirectly, on the [Health and Social Care Network (HSCN)](https://digital.nhs.uk/services/health-and-social-care-network).\n\nFor more details see [Network access for APIs](https://digital.nhs.uk/developer/guides-and-documentation/network-access-for-apis).\n\n## Security and authorisation\nThis API is [user-restricted](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis),\nmeaning an end user must be present and authenticated to use it.\n\nThe end user must be:\n* a healthcare professional\n* strongly authenticated using [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication),\n  to [authenticator assurance level AAL3](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators#assurance-levels).\n\nIn particular, you must use the following security pattern:\n* [User-restricted RESTful APIs - CIS2 separate authentication and authorisation](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation)\n\n## Errors\nWe use standard HTTP status codes to show whether an API request succeeded or not. They are usually in the range:\n\n* 200 to 299 if it succeeded, including code 202 if it was accepted by an API that needs to wait for further action\n* 400 to 499 if it failed because of a client error by your application\n* 500 to 599 if it failed because of an error on our server\n\nErrors specific to each operation are shown in the Operations section, under Response. See our [reference guide](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#http-status-codes) for more on errors.\n\n## Environments and testing\n\n| Environment                                 | URL                                                                  |\n|---------------------------------------------|----------------------------------------------------------------------|\n| Sandbox                                     | `https://sandbox.api.service.nhs.uk/signing-service`                 |\n| Integration test                            | `https://int.api.service.nhs.uk/signing-service`                     |\n| Production                                  | `https://api.service.nhs.uk/signing-service`                         |\n\n### Sandbox testing\nOur [sandbox environment](https://digital.nhs.uk/developer/guides-and-documentation/testing#sandbox-testing):\n* is for early developer testing\n* only covers a limited set of scenarios\n* is stateless, so it does not store data\n* is open access, so does not allow you to test API authorisation\n* does not exactly replicate live (for example it supports mock signing which isn't supported in live) \n\nFor more details on sandbox testing, or to try out the sandbox using our \"Try this API\" feature, see the documentation for each endpoint.\n\n### Integration testing\nOur [integration test environment](https://digital.nhs.uk/developer/guides-and-documentation/testing#integration-testing):\n* is for formal integration testing\n* is stateful, so it does persist data\n* includes API authorisation, with any of the [CIS2 authenticators](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/authenticators) (AAL3 only)\n\nThis API cannot currently be used with our [mock authorisation service](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/testing-apis-with-our-mock-authorisation-service).\nWhen we have this working, you'll also be able to simulate the presence check and signing process by authenticating as mock user 656005750107 and appending `&mock=true` to the redirect URI we provide in the response to the [Request signatures](#post-/signaturerequest) operation.\n\nFor more details see [integration testing with our RESTful APIs](https://digital.nhs.uk/developer/guides-and-documentation/testing#integration-testing-with-our-restful-apis).\n\n### Registering your DSS callback URL\nTo use our API in the integration test or production environments, you'll need to register your DSS callback URL with us.\nThis is the URL that we call once the user has completed the presence check (as explained in [How it works](#overview--how-it-works)).\n\nYou need to do this separately for each environment, and you can currently only have one DSS callback URL per environment.\n\nTo register your DSS callback URL for the integration test environment:\n  1. Sign in to your [developer account](https://onboarding.prod.api.platform.nhs.uk/Index).\n  2. Select 'Environment access'.\n  3. Select your application (or add an application if you haven't already got one). This much be an application in the integration test environment.\n  4. Select 'Add custom attribute'.\n  5. Set the custom attribute name to 'signingServiceCallbackUrl' and the value to your DSS callback URL in your integration test environment.\n  6. Select 'Add'.\n\nTo register your DSS callback URL for production, see [Request access to the Digital Signature Service](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/request-access-to-the-digital-signature-service).\n\nIn the future, we're planning to allow multiple DSS callback URLs in the integration test environment.\n\n## Onboarding\nYou need to get your software approved by us before it can go live with this API. We call this onboarding. The onboarding process can sometimes be quite long, so it's worth planning well ahead.\n\nTo onboard to this API, you'll need to:\n1. Onboard to [CIS2 Authentication](https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication) first.\n2. Onboard to the service or API that requires you to use the Digital Signature Service API.\n\nCurrently, you can use this API with the following APIs:\n- [EPS FHIR Prescribing API](https://digital.nhs.uk/developer/api-catalogue/eps-fhir-prescribing-api)\n- [Electronic Prescription Service HL7 V3 API](https://digital.nhs.uk/developer/api-catalogue/electronic-prescription-service-hl7-v3)\n"},"servers":[{"url":"https://sandbox.api.service.nhs.uk/signing-service","description":"Sandbox"},{"url":"https://int.api.service.nhs.uk/signing-service","description":"Integration test"},{"url":"https://api.service.nhs.uk/signing-service","description":"Production"}],"paths":{"/signaturerequest":{"post":{"operationId":"request-signatures","summary":"Request signatures","description":"## Overview\nUse this operation to request signatures for documents, from a minimum of 1 up to a maximum of 250.\n\nThe operation returns:\n- a redirect URI, to which you must redirect your user's browser - this allows us to preform a 'presence check'\n- a token, which you can use to get the signatures after the presence check, using the [Get signatures](#get-/signatureresponse/-token-) operation\n\nFor more details, see [How it works](#overview--how-it-works).\n\n### Presence check errors\n\nAfter the user has completed the presence check in the browser, a JSON error message may be displayed. This happens after a valid CIS2 re-authentication, suggesting an invalid or inconsistent payload.\nThis means the Digital Signature Service couldn't verify that the current user has permission to sign the payload.  The exact issue is not returned over the API but the following are potential reasons:\n  * Key ID in JWT not registered in JWKS\n  * The JWKS isn't valid JSON\n  * The JWT has already expired (i.e. exp field represents a time in the past)\n  * JWT not correctly signed\n  * JWT included payloads field, but was an empty list, so there are no payloads to sign\n  * The `sub` field in the provided JWT does not match the user that just authenticated\n\n### Sandbox behaviour\nThe sandbox environment requires a valid JWT in the request body.\nIt always returns the same redirect URI and token, regardless of the JWT you provide.\nThe redirect URI does work but you do not actually get a presence check, and you can immediately call the [Get signatures](#get-/signatureresponse/-token-) operation with the token to get a signature response.\nYou cannot configure the DSS callback URL in the sandbox - we always redirect to a predefined URL.\n","parameters":[{"in":"header","name":"Authorization","description":"An [OAuth 2.0 bearer token](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis).\n\nRequired in all environments except sandbox.\n","required":true,"schema":{"type":"string","format":"^Bearer\\ [[:ascii:]]+$","example":"Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM"}},{"in":"header","name":"X-Request-ID","required":false,"description":"A optional globally unique identifier (GUID) for the request. Used \nto trace the request if you contact our helpdesk. Must be a universally unique identifier (UUID) \n(ideally version 4). Mirrored back in a response header. If you re-send a failed request, use the same value\nin this header.\n","schema":{"type":"string","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},{"in":"header","name":"X-Correlation-ID","required":false,"description":"An optional ID which you can use to track transactions across multiple systems. It can have any value, but avoid `.` characters.\n\nMirrored back in a response header.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}],"requestBody":{"description":"A signed JWT containing details of the document(s) to be signed. See the schema for details on how to construct the JWT.","required":true,"content":{"text/plain":{"schema":{"type":"string","description":"A signed [JWT](https://tools.ietf.org/html/rfc7519) containing the document(s) to be signed.\n\nThe JWT header must include the following fields:\n* `typ` - the type of the token. This must be `JWT`.\n* `alg` - the algorithm used to sign the token. This must be `RS512`.\n* `kid` - the ID of the key which the service uses to verify the JWT signature.\n\nThe JWT payload must include the following fields:\n* `iss` - the issuer of the token. This must be the [API key](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation#step-2-register-your-application-on-the-api-platform) of your application.\n* `sub` - the subject of the token. This must be the SDS user ID of the person requesting the signature and must match the user who authenticated.\n* `aud` - the intended audience of the token. This must be the URL of the Signing Service, for example `https://int.api.service.nhs.uk/signing-service`.\n* `exp` - the expiry time of the token. This must be at most 10 minutes in the future.\n* `iat` - the time the token was issued.\n* `algorithm` - the algorithm which is used to sign the prescription itself (not the JWT).\n  Values are defined in [JSON Web Signature and Encryption Algorithms](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms).\n  `RS256` and `RS512` are supported by this API, but for signing prescriptions you must use `RS256`.\n* `payloads` - a list of objects, each containing the following fields:\n  * `id` - an identifier for the payload. This can be used to match up the signature with the payload which was signed.\n  * `payload` - the [base64](https://tools.ietf.org/html/rfc4648#section-4) encoded payload to be signed.\n\nThe JWT signature must be present, and must use the `RS512` algorithm.\nIt must be signed with a private key that matches one of your [registered public keys](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation#step-4-register-your-public-key).\n","pattern":"^[a-zA-Z0-9\\-_]+?\\.[a-zA-Z0-9\\-_]+?\\.[a-zA-Z0-9\\-_]+?$"},"example":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiIsImtpZCI6ImtleS0xIn0.eyJwYXlsb2FkcyI6W3siaWQiOiIwIiwicGF5bG9hZCI6IlBGTnBaMjVsWkVsdVptOCtQRU5oYm05dWFXTmhiR2w2WVhScGIyNU5aWFJvYjJRZ1FXeG5iM0pwZEdodFBTSm9kSFJ3T2k4dmQzZDNMbmN6TG05eVp5OHlNREF4THpFd0wzaHRiQzFsZUdNdFl6RTBiaU1pUGp3dlEyRnViMjVwWTJGc2FYcGhkR2x2YmsxbGRHaHZaRDQ4VTJsbmJtRjBkWEpsVFdWMGFHOWtJRUZzWjI5eWFYUm9iVDBpYUhSMGNEb3ZMM2QzZHk1M015NXZjbWN2TWpBd01DOHdPUzk0Yld4a2MybG5JM0p6WVMxemFHRXhJajQ4TDFOcFoyNWhkSFZ5WlUxbGRHaHZaRDQ4VW1WbVpYSmxibU5sUGp4VWNtRnVjMlp2Y20xelBqeFVjbUZ1YzJadmNtMGdRV3huYjNKcGRHaHRQU0pvZEhSd09pOHZkM2QzTG5jekxtOXlaeTh5TURBeEx6RXdMM2h0YkMxbGVHTXRZekUwYmlNaVBqd3ZWSEpoYm5ObWIzSnRQand2VkhKaGJuTm1iM0p0Y3o0OFJHbG5aWE4wVFdWMGFHOWtJRUZzWjI5eWFYUm9iVDBpYUhSMGNEb3ZMM2QzZHk1M015NXZjbWN2TWpBd01DOHdPUzk0Yld4a2MybG5JM05vWVRFaVBqd3ZSR2xuWlhOMFRXVjBhRzlrUGp4RWFXZGxjM1JXWVd4MVpUNDVVVWg2VVdGR2FUSnRMMnBuTmpGWWEzUkVRemRNYTNWb1JGVTlQQzlFYVdkbGMzUldZV3gxWlQ0OEwxSmxabVZ5Wlc1alpUNDhMMU5wWjI1bFpFbHVabTgrIn1dLCJhbGdvcml0aG0iOiJSUzI1NiIsImlhdCI6MTc3Mzg1NTcxNywiZXhwIjoxNzczODU2MDE3LCJhdWQiOiJodHRwczovL2ludGVybmFsLWRldi5hcGkuc2VydmljZS5uaHMudWsvc2lnbmluZy1zZXJ2aWNlIiwiaXNzIjoicXZQOU5vUWNPVnFLclhFZHRMdjhCMGo3cDVWbWpQRGQiLCJzdWIiOiJ2YWxpZF91c2VyIn0.S2-OcsEcqzBLN6bIN0o4c5WaGNsCn9dOFtIS9Hig49HNnRYDJj5Ktbf6qNa-w0s8sWaZG2qkz35GjaTcrAWSNJaLWAsj-YJUvFJTIGtgRQOBSPYOk8qbIHFTnOhgIUAs8IWuqUbI5HJ-SqPM0hixKvE5VJ7ezSzezMVCu6910z8hIdUMihw90HYniDG_AkUUSmmeS7fU5GMqOCWEksC40MBRX2m0_y-UihPPiXunJ8ZgzUJ9nImRT72W-juSlKk0z9Pf6YN8swNE96_EGVbiBax-HUBDob98hgWnkfEXO7SyQMn6hi7TNxmUiiLYj4cdRnCo7Wdt4mUcNl0C9FSgonl59wSJh5BCovcB0pYadAhDducdcXgr7DNz_DHglKW7RsAUat3tKUhpAZWohPwpAAsNkky1yDmULwoHrw_ssr0ndxTwWeGvWKiyZOfLVX8C_OnBEX7FZZW1Y3yRnFh2R25T5olh0_F4tjq1v-Synr-K6I9qJgvcX8dDSELCV7_lnQLTMzlOCdtBfDmBAACna5fVXynoqUdcYigGreAUn0ALeP9LIylsJwItD87268t7ldEzvLxeo9gcD5nM-XANvJTjFRTqTV1ZKeLVgQtD4Wr195Ty40yle0ZoDkpIG94CEh9vxpoMK6OPffpQUqLqIlW660TlhWZp7KeGE48Hm_I"}}},"responses":{"200":{"description":"Successful upload.","headers":{"X-Request-Id":{"description":"The X-Request-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","format":"uuid","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"X-Correlation-Id":{"description":"The X-Correlation-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"content":{"application/json":{"schema":{"type":"object","description":"The response returned by the service when a redirect is required to continue the signing process.","required":["token","redirectUri"],"properties":{"token":{"type":"string","format":"base64 encoded UUID V4","description":"A token representing the signature creation request. This is used to retrieve the signature once it has been created. \nSee https://www.rfc-editor.org/rfc/rfc9562.html#name-uuid-version-4 for the UUID V4 specification.\nThe token is valid for 600 seconds.\n","example":"ZjUyM2E3NzItMjRmMi00NWQ2LWE4ZGEtNTliNDhkZTAyMzFh"},"redirectUri":{"type":"string","format":"uri","description":"The URL which you should redirect to in order to continue the signing process.\nIf using local smartcard authentication, when redirecting to the Signing Service Client, you may append `&mock=true` to the query string to request\na mock implementation of the Credential Management integration.  To use mock signing in the integration test environment, you must authenticate using the \n[second generation mock authorisation service](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/testing-apis-with-our-mock-authorisation-service) \nand auth as mock user 656005750107.\n","example":"https://example.com/sign?token=f523a772-24f2-45d6-a8da-59b48de0231a"}}},"example":{"token":"ZDk1YjE0NmEtZWQwMi00N2QzLWE3ZjctNWEwMGY2YzI4NTBj","redirectUri":"https://int.api.service.nhs.uk/signing-service/client?token=ZDk1YjE0NmEtZWQwMi00N2QzLWE3ZjctNWEwMGY2YzI4NTBj"}}}},"4XX":{"description":"An error occurred as follows:\n\n| HTTP status | Error code or message           | Description                                                                                                                                |\n| ----------- | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |\n| 400         | Invalid request payload: \\\"value\\\" must be a string                   | Request payload missing (should be a JWT).                                                                              |\n| 400         | Invalid request payload: \"value\" with value [...] fails to match the required pattern [...] | Request payload not a valid JWT. |\n| 400         | JWT payload is not valid. \"[...]\" is required | Request payload JWT missing at least one required field. |\n| 401         | ACCESS_DENIED                   | Access token missing, invalid or expired, or calling application not configured for this operation.                                        |\n| 429         | TOO_MANY_REQUESTS               | You have exceeded your application's [rate limit](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#rate-limits).  |\n\nFor more details, see [HTTP status codes](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#http-status-codes).\n","headers":{"X-Request-Id":{"description":"The X-Request-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","format":"uuid","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"X-Correlation-Id":{"description":"The X-Correlation-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"content":{"application/json":{"examples":{"validationError":{"description":"Validation error","value":{"statusCode":404,"error":"Not Found","message":"No signature request for specified token"}},"authError":{"description":"Authorisation error","value":{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"forbidden","details":{"coding":[{"system":"https://fhir.nhs.uk/R4/CodeSystem/Spine-ErrorOrWarningCode","version":"1","code":"ACCESS_DENIED","display":"Invalid Access Token"}]}}]}}}}}},"5XX":{"description":"If the error message is `app.signingServiceCallbackUrl value required. Please contact support` then we haven't configured you DSS callback URL.\nSee [Environments and testing](#overview--environments-and-testing) for more details.\n\nOtherwise, it's an internal error on our side.\n"}}}},"/signatureresponse/{token}":{"get":{"operationId":"get-signature","summary":"Get signatures","description":"## Overview\nUse this operation to get the signatures for the documents you previously requested to be signed.\n\nYou need to supply the token you received from the [Request signatures](#post-/signaturerequest) operation.\n\nFor more details, see [How it works](#overview--how-it-works).\n\n### Sandbox behaviour\nYou must pass the token you received from the [Request signatures](#post-/signaturerequest) operation.\nThe sandbox always returns the same hard-coded signatures and certificate.\n","parameters":[{"in":"header","name":"Authorization","description":"An [OAuth 2.0 bearer token](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis).\n\nRequired in all environments except sandbox.\n","required":true,"schema":{"type":"string","format":"^Bearer\\ [[:ascii:]]+$","example":"Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM"}},{"in":"path","name":"token","description":"The payload token returned in response to the signature creation request","schema":{"type":"string","format":"base64 encoded UUID V4"},"required":true,"example":"ZjUyM2E3NzItMjRmMi00NWQ2LWE4ZGEtNTliNDhkZTAyMzFh"},{"in":"header","name":"X-Request-ID","required":false,"description":"A optional globally unique identifier (GUID) for the request. Used \nto trace the request if you contact our helpdesk. Must be a universally unique identifier (UUID) \n(ideally version 4). Mirrored back in a response header. If you re-send a failed request, use the same value\nin this header.\n","schema":{"type":"string","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},{"in":"header","name":"X-Correlation-ID","required":false,"description":"An optional ID which you can use to track transactions across multiple systems. It can have any value, but avoid `.` characters.\n\nMirrored back in a response header.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}],"responses":{"200":{"description":"Successful retrieval.","headers":{"X-Request-Id":{"description":"The X-Request-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","format":"uuid","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"X-Correlation-Id":{"description":"The X-Correlation-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"content":{"application/json":{"schema":{"type":"object","description":"The response to a signature retrieval request.","required":["signatures","certificate"],"properties":{"signatures":{"type":"array","description":"The signatures which were generated and the ids which link them to their payloads.","items":{"type":"object","description":"A signature and the id which links it to its payload.","properties":{"id":{"type":"string","description":"The id of the payload which was signed to produce this signature.","example":"e77bf3e8-bcf5-4431-91a2-22672b27662a"},"signature":{"type":"string","format":"base64","description":"A signature, encoded in [base64](https://tools.ietf.org/html/rfc4648#section-4).","example":"XpjsKXPfUW708rGPuOAphlr4/UA23f3bhdBOocEJ17BXV0Jruz1E1KLFQwq37EJfnVo/WCLTSjgkkp0BWj5bG3JjEfj78ZjI1yVSRbfbVXXQX0GLZmiSGJrhWnFZt8cFrxO1MFAtSLmKfyXKzbuHsLTmsHQKpXCRdZnFmKBojLmp7NBr0lLE8Phttu8F2Eaeu2wPQ84p1iNW91fo1H+SFVxC+BRoPI1polXg42ceTjoJ7+FqYPDHfC7nNFIgTYJZlQdboMNbndv6BPDuFq0wusQjDQ4zMZ+8ClpRdt3iKmylXNmKkJA15W0pFbGq0Xnf3S1MXWElkaCIUCdGK2WsPA=="}}}},"certificate":{"type":"string","format":"base64","description":"The certificate associated with the private key used to generate the signature, represented in X.509 version 3 format and encoded in [base64](https://tools.ietf.org/html/rfc4648#section-4).\nThis will be required by the service receiving the signatures in order to verify them.\n","example":"MIIEJDCCAwygAwIBAgIUK3xkEUlRhXPJKNVwryqLZRoNTQQwDQYJKoZIhvcNAQELBQAwRDEOMAwGA1UEChMFSFNDSUMxETAPBgNVBAsTCE9wZW50ZXN0MR8wHQYDVQQDExZFUFMgTm9uLXJlcHVkaWF0aW9uIENBMB4XDTIwMDIyNzEzMDcyMloXDTIyMDIyNjEzMDcyMlowOzEOMAwGA1UEChMFSFNDSUMxGzAZBgNVBAsTElNvbHV0aW9uIEFzc3VyYW5jZTEMMAoGA1UEAxMDRU1VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0G4Gac7S0mqlHY/sW+EFZZL8AU+FMRrSFIefISocA6DsHePgHpg0tJcdmj3N45VR6FHDrKx5Dg/005R/t8gbuIHF+iI1puTcV9jWPmakkurlVPARmiAy767WPk9mpUolfoHdILKqfIWMzQzW7C4L8vFK55BIeV4/lIDvEpxZ+LHWbkmk/h1dWexupjOTfqTn/Uix+Lat2TpqzYSrM0bep8p8ucndN5sqcm6UkPothsxNEi2Hjkd8aoH1H4KIVwgcBwWe+XrLXK5WarMW0Y9qgQKxMsnvW8oyHa83mkHY+e8OeN/SnqYjkag0I4pvbBTclrGfIScIfTZorVn2WvCIQIDAQABo4IBFTCCAREwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGCWCGSAGG+EIBDQQpFidPcGVudGVzdDogT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAH4ptckOhsUzBfVjt/m05GiO8XRMHsGA1UdIwR0MHKAFNIRvX9omrl7ZXSqEINy6w2rPQduoU+kTTBLMRQwEgYDVQQKEwtOSFMgRGlnaXRhbDERMA8GA1UECxMIT3BlbnRlc3QxIDAeBgNVBAMTF09wZW50ZXN0IFJvb3QgQXV0aG9yaXR5ggkA6u0cXbLqKoQwDQYJKoZIhvcNAQELBQADggEBAEDcrPcdrIC5ufVHra62oGBP/lz5oJq3Ql93Phgw9BDbumPU74P+XgQoO9vw8xO2Yb4+PL7M2BuJo3fDqcDsW+4B4t9mdhWW7lRjN3WcujoLslPz23cfyxCgZnYMMDbOhBrJxVCzYeC6nx6OhkL1V3Yoe+OIyrReUzpzeBwsUX5q802dNaV1yrb6ai2icgxqpY+fOZYFLRefPIqutBK73hnDuxDjI+7ehyFpapfOXVBmLTacLxLF1Dy/7+GIXbdIwbedet4p2IcEaRX0eWT0U//ZJSeBqnOOpXo64DfZtS9Vl2exHbHHqYc0RVNpKImaWVrMydC1qOexjUZSVBVd+Zo="}}},"example":{"signatures":[{"id":"e77bf3e8-bcf5-4431-91a2-22672b27662a","signature":"XpjsKXPfUW708rGPuOAphlr4/UA23f3bhdBOocEJ17BXV0Jruz1E1KLFQwq37EJfnVo/WCLTSjgkkp0BWj5bG3JjEfj78ZjI1yVSRbfbVXXQX0GLZmiSGJrhWnFZt8cFrxO1MFAtSLmKfyXKzbuHsLTmsHQKpXCRdZnFmKBojLmp7NBr0lE8Phttu8F2Eaeu2wPQ84p1iNW91fo1H+SFVxC+BRoPI1polXg42ceTjoJ7+FqYPDHfC7nNFIgTYJZlQdboMNbndv6BPDuFq0wusQjDQ4zMZ+8ClpRdt3iKmylXNmKkJA15W0pFbGq0Xnf3S1MXWElkaCIUCdGK2WsPA=="}],"certificate":"MIIEJDCCAwygAwIBAgIUK3xkEUlRhXPJKNVwryqLZRoNTQQwDQYJKoZIhvcNAQELBQAwRDEOMAwGA1UEChMFSFNDSUMxETAPBgNVBAsTCE9wZW50ZXN0MR8wHQYDVQQDExZFUFMgTm9uLXJlcHVkaWF0aW9uIENBMB4XDTIwMDIyNzEzMDcyMloXDTIyMDIyNjEzMDcyMlowOzEOMAwGA1UEChMFSFNDSUMxGzAZBgNVBAsTElNvbHV0aW9uIEFzc3VyYW5jZTEMMAoGA1UEAxMDRU1VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0G4Gac7S0mqlHY/sW+EFZZL8AU+FMRrSFIefISocA6DsHePgHpg0tJcdmj3N45VR6FHDrKx5Dg/005R/t8gbuIHF+iI1puTcV9jWPmakkurlVPARmiAy767WPk9mpUolfoHdILKqfIWMzQzW7C4L8vFK55BIeV4/lIDvEpxZ+LHWbkmk/h1dWexupjOTfqTn/Uix+Lat2TpqzYSrM0bep8p8ucndN5sqcm6UkPothsxNEi2Hjkd8aoH1H4KIVwgcBwWe+XrLXK5WarMW0Y9qgQKxMsnvW8oyHa83mkHY+e8OeN/SnqYjkag0I4pvbBTclrGfIScIfTZorVn2WvCIQIDAQABo4IBFTCCAREwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGCWCGSAGG+EIBDQQpFidPcGVudGVzdDogT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAH4ptckOhsUzBfVjt/m05GiO8XRMHsGA1UdIwR0MHKAFNIRvX9omrl7ZXSqEINy6w2rPQduoU+kTTBLMRQwEgYDVQQKEwtOSFMgRGlnaXRhbDERMA8GA1UECxMIT3BlbnRlc3QxIDAeBgNVBAMTF09wZW50ZXN0IFJvb3QgQXV0aG9yaXR5ggkA6u0cXbLqKoQwDQYJKoZIhvcNAQELBQADggEBAEDcrPcdrIC5ufVHra62oGBP/lz5oJq3Ql93Phgw9BDbumPU74P+XgQoO9vw8xO2Yb4+PL7M2BuJo3fDqcDsW+4B4t9mdhWW7lRjN3WcujoLslPz23cfyxCgZnYMMDbOhBrJxVCzYeC6nx6OhkL1V3Yoe+OIyrReUzpzeBwsUX5q802dNaV1yrb6ai2icgxqpY+fOZYFLRefPIqutBK73hnDuxDjI+7ehyFpapfOXVBmLTacLxLF1Dy/7+GIXbdIwbedet4p2IcEaRX0eWT0U//ZJSeBqnOOpXo64DfZtS9Vl2exHbHHqYc0RVNpKImaWVrMydC1qOexjUZSVBVd+Zo="}}}},"4XX":{"description":"An error occurred as follows:\n\n| HTTP status | Error code or message           | Description                                                                                                                                |\n| ----------- | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |\n| 401         | ACCESS_DENIED                   | Access token missing, invalid or expired, or calling application not configured for this operation.                                        |\n| 404         | No signature request for specified token | The token provided wasn't recognised, or the presence check user journey hasn't been completed. |\n| 429         | TOO_MANY_REQUESTS               | You have exceeded your application's [rate limit](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#rate-limits).  |\n\nFor more details, see [HTTP status codes](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#http-status-codes).\n","headers":{"X-Request-Id":{"description":"The X-Request-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","format":"uuid","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"X-Correlation-Id":{"description":"The X-Correlation-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"content":{"application/json":{"examples":{"validationError":{"description":"Validation error","value":{"statusCode":404,"error":"Not Found","message":"No signature request for specified token"}},"authError":{"description":"Authorisation error","value":{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"forbidden","details":{"coding":[{"system":"https://fhir.nhs.uk/R4/CodeSystem/Spine-ErrorOrWarningCode","version":"1","code":"ACCESS_DENIED","display":"Invalid Access Token"}]}}]}}}}}}}}}},"components":{"parameters":{"token":{"in":"path","name":"token","description":"The payload token returned in response to the signature creation request","schema":{"type":"string","format":"base64 encoded UUID V4"},"required":true,"example":"ZjUyM2E3NzItMjRmMi00NWQ2LWE4ZGEtNTliNDhkZTAyMzFh"},"BearerAuthorization":{"in":"header","name":"Authorization","description":"An [OAuth 2.0 bearer token](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#user-restricted-apis).\n\nRequired in all environments except sandbox.\n","required":true,"schema":{"type":"string","format":"^Bearer\\ [[:ascii:]]+$","example":"Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM"}},"RequestID":{"in":"header","name":"X-Request-ID","required":false,"description":"A optional globally unique identifier (GUID) for the request. Used \nto trace the request if you contact our helpdesk. Must be a universally unique identifier (UUID) \n(ideally version 4). Mirrored back in a response header. If you re-send a failed request, use the same value\nin this header.\n","schema":{"type":"string","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"CorrelationID":{"in":"header","name":"X-Correlation-ID","required":false,"description":"An optional ID which you can use to track transactions across multiple systems. It can have any value, but avoid `.` characters.\n\nMirrored back in a response header.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"headers":{"XRequestId":{"description":"The X-Request-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","format":"uuid","example":"6d3d3674-7ce5-11ec-90d6-0242ac121234"}},"XCorrelationId":{"description":"The X-Correlation-Id from the request header, if supplied, mirrored back.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}},"schemas":{"token-body":{"type":"object","description":"The response returned by the service when a redirect is required to continue the signing process.","required":["token","redirectUri"],"properties":{"token":{"type":"string","format":"base64 encoded UUID V4","description":"A token representing the signature creation request. This is used to retrieve the signature once it has been created. \nSee https://www.rfc-editor.org/rfc/rfc9562.html#name-uuid-version-4 for the UUID V4 specification.\nThe token is valid for 600 seconds.\n","example":"ZjUyM2E3NzItMjRmMi00NWQ2LWE4ZGEtNTliNDhkZTAyMzFh"},"redirectUri":{"type":"string","format":"uri","description":"The URL which you should redirect to in order to continue the signing process.\nIf using local smartcard authentication, when redirecting to the Signing Service Client, you may append `&mock=true` to the query string to request\na mock implementation of the Credential Management integration.  To use mock signing in the integration test environment, you must authenticate using the \n[second generation mock authorisation service](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/testing-apis-with-our-mock-authorisation-service) \nand auth as mock user 656005750107.\n","example":"https://example.com/sign?token=f523a772-24f2-45d6-a8da-59b48de0231a"}}},"signature-request-body":{"type":"string","description":"A signed [JWT](https://tools.ietf.org/html/rfc7519) containing the document(s) to be signed.\n\nThe JWT header must include the following fields:\n* `typ` - the type of the token. This must be `JWT`.\n* `alg` - the algorithm used to sign the token. This must be `RS512`.\n* `kid` - the ID of the key which the service uses to verify the JWT signature.\n\nThe JWT payload must include the following fields:\n* `iss` - the issuer of the token. This must be the [API key](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation#step-2-register-your-application-on-the-api-platform) of your application.\n* `sub` - the subject of the token. This must be the SDS user ID of the person requesting the signature and must match the user who authenticated.\n* `aud` - the intended audience of the token. This must be the URL of the Signing Service, for example `https://int.api.service.nhs.uk/signing-service`.\n* `exp` - the expiry time of the token. This must be at most 10 minutes in the future.\n* `iat` - the time the token was issued.\n* `algorithm` - the algorithm which is used to sign the prescription itself (not the JWT).\n  Values are defined in [JSON Web Signature and Encryption Algorithms](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms).\n  `RS256` and `RS512` are supported by this API, but for signing prescriptions you must use `RS256`.\n* `payloads` - a list of objects, each containing the following fields:\n  * `id` - an identifier for the payload. This can be used to match up the signature with the payload which was signed.\n  * `payload` - the [base64](https://tools.ietf.org/html/rfc4648#section-4) encoded payload to be signed.\n\nThe JWT signature must be present, and must use the `RS512` algorithm.\nIt must be signed with a private key that matches one of your [registered public keys](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation#step-4-register-your-public-key).\n","pattern":"^[a-zA-Z0-9\\-_]+?\\.[a-zA-Z0-9\\-_]+?\\.[a-zA-Z0-9\\-_]+?$"},"signature-response-body":{"type":"object","description":"The response to a signature retrieval request.","required":["signatures","certificate"],"properties":{"signatures":{"type":"array","description":"The signatures which were generated and the ids which link them to their payloads.","items":{"type":"object","description":"A signature and the id which links it to its payload.","properties":{"id":{"type":"string","description":"The id of the payload which was signed to produce this signature.","example":"e77bf3e8-bcf5-4431-91a2-22672b27662a"},"signature":{"type":"string","format":"base64","description":"A signature, encoded in [base64](https://tools.ietf.org/html/rfc4648#section-4).","example":"XpjsKXPfUW708rGPuOAphlr4/UA23f3bhdBOocEJ17BXV0Jruz1E1KLFQwq37EJfnVo/WCLTSjgkkp0BWj5bG3JjEfj78ZjI1yVSRbfbVXXQX0GLZmiSGJrhWnFZt8cFrxO1MFAtSLmKfyXKzbuHsLTmsHQKpXCRdZnFmKBojLmp7NBr0lLE8Phttu8F2Eaeu2wPQ84p1iNW91fo1H+SFVxC+BRoPI1polXg42ceTjoJ7+FqYPDHfC7nNFIgTYJZlQdboMNbndv6BPDuFq0wusQjDQ4zMZ+8ClpRdt3iKmylXNmKkJA15W0pFbGq0Xnf3S1MXWElkaCIUCdGK2WsPA=="}}}},"certificate":{"type":"string","format":"base64","description":"The certificate associated with the private key used to generate the signature, represented in X.509 version 3 format and encoded in [base64](https://tools.ietf.org/html/rfc4648#section-4).\nThis will be required by the service receiving the signatures in order to verify them.\n","example":"MIIEJDCCAwygAwIBAgIUK3xkEUlRhXPJKNVwryqLZRoNTQQwDQYJKoZIhvcNAQELBQAwRDEOMAwGA1UEChMFSFNDSUMxETAPBgNVBAsTCE9wZW50ZXN0MR8wHQYDVQQDExZFUFMgTm9uLXJlcHVkaWF0aW9uIENBMB4XDTIwMDIyNzEzMDcyMloXDTIyMDIyNjEzMDcyMlowOzEOMAwGA1UEChMFSFNDSUMxGzAZBgNVBAsTElNvbHV0aW9uIEFzc3VyYW5jZTEMMAoGA1UEAxMDRU1VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0G4Gac7S0mqlHY/sW+EFZZL8AU+FMRrSFIefISocA6DsHePgHpg0tJcdmj3N45VR6FHDrKx5Dg/005R/t8gbuIHF+iI1puTcV9jWPmakkurlVPARmiAy767WPk9mpUolfoHdILKqfIWMzQzW7C4L8vFK55BIeV4/lIDvEpxZ+LHWbkmk/h1dWexupjOTfqTn/Uix+Lat2TpqzYSrM0bep8p8ucndN5sqcm6UkPothsxNEi2Hjkd8aoH1H4KIVwgcBwWe+XrLXK5WarMW0Y9qgQKxMsnvW8oyHa83mkHY+e8OeN/SnqYjkag0I4pvbBTclrGfIScIfTZorVn2WvCIQIDAQABo4IBFTCCAREwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGCWCGSAGG+EIBDQQpFidPcGVudGVzdDogT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAH4ptckOhsUzBfVjt/m05GiO8XRMHsGA1UdIwR0MHKAFNIRvX9omrl7ZXSqEINy6w2rPQduoU+kTTBLMRQwEgYDVQQKEwtOSFMgRGlnaXRhbDERMA8GA1UECxMIT3BlbnRlc3QxIDAeBgNVBAMTF09wZW50ZXN0IFJvb3QgQXV0aG9yaXR5ggkA6u0cXbLqKoQwDQYJKoZIhvcNAQELBQADggEBAEDcrPcdrIC5ufVHra62oGBP/lz5oJq3Ql93Phgw9BDbumPU74P+XgQoO9vw8xO2Yb4+PL7M2BuJo3fDqcDsW+4B4t9mdhWW7lRjN3WcujoLslPz23cfyxCgZnYMMDbOhBrJxVCzYeC6nx6OhkL1V3Yoe+OIyrReUzpzeBwsUX5q802dNaV1yrb6ai2icgxqpY+fOZYFLRefPIqutBK73hnDuxDjI+7ehyFpapfOXVBmLTacLxLF1Dy/7+GIXbdIwbedet4p2IcEaRX0eWT0U//ZJSeBqnOOpXo64DfZtS9Vl2exHbHHqYc0RVNpKImaWVrMydC1qOexjUZSVBVd+Zo="}}}},"examples":{"validationError":{"description":"Validation error","value":{"statusCode":404,"error":"Not Found","message":"No signature request for specified token"}},"authError":{"description":"Authorisation error","value":{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"forbidden","details":{"coding":[{"system":"https://fhir.nhs.uk/R4/CodeSystem/Spine-ErrorOrWarningCode","version":"1","code":"ACCESS_DENIED","display":"Invalid Access Token"}]}}]}}}},"x-nhs-api-spec-guid":"a062e39c-b843-4833-8d24-8fc1434900a0"}