Stage 2 - Build

Find out how to gain access to our test environment in order to start development with the NHS e-Referral Service API.

As part of this stage you will need to provide contact details of the NHS organisation or Independent Health Provider you are working with so we can verify your plans.

Create and register your application
Get access to our test environment
Obtain test data
Configure e-RS
Request the Supplier Conformance Assessment List (SCAL)
Build your software to develop your software

2.1 Create and register your application

You will need to create an application and register it in the integration test (INT) environment as per the below steps. You will need the information produced to complete the form at 2.21 Integration testing.

2.11 Sign in or create a developer account

You may already have a developer account, either from registering for an API with NHS England previously, or from onboarding with other NHS Services as per the 1.5 Find other NHS services section.

Create a developer account if you do not already have one.

Your developer account provides you access to everything you need to integrate with us. This includes the developer community where you can get support or provide help with our APIs.

2.12 Create your application

On the developer account home page (My developer hub), select 'Environment access' located in the top left hand corner of the page. Then, 'Add new application' to start the new application journey.

2.13 Select your environment

Select ‘Integration test’ then complete the ‘Select application owner’ section.

2.14 Name your application

When naming your application, please follow the preferred guidance:

[Supplier name] - [App name] - [Environment] - e-Referral Service - [Access Mode]

For example:

Care Vista - Care Vista Link - INT - e-Referral Service - User-restricted

Acme - Acme Medical System - INT - e-Referral Service - Application-restricted

Click ‘Create Application’ when done.

2.15 Add the e-Referral Service API

Click ‘ View your new application’.

This step enables access to the API you want to use. Select one API per application.

You will require a separate application for each access mode you intend to use. The same application cannot be used for both user-restricted and application-restricted modes.

When using both access modes, repeat the full process described in section 2.1 Create and register your application.

User-restricted

For user-restricted access, enable the API below:

e-Referral Service - Healthcare Worker (Integration Testing)

User restricted

Application-restricted

For application-restricted, unattended access, enable the API below:

e-Referral Service - Application Restricted (Integration Testing)

Application Restricted

Please note that if your software includes application-restricted, unattended access you will need to review the end user organisation responsibilities.

2.2 Get access to our test environment

You may already have had experience of our sandbox environment.

This step will provide you with access to the INT environment. It provides a more realistic setting for testing than is possible in a sandbox, including authorisation, release and assurance testing.

2.21 Integration testing

The integration environment should be used to test and assure your software in an integrated manner.

This environment is:

where the majority of your integration efforts will take place
where we conduct witness testing for your application
stateful, so data will be persisted
representative of the production estate

To get access, please complete the integration test environment form.

You will need:

the use case information that you reviewed at 1.2 Validate your use case
the application information produced at 2.1 Create and register your application
to let us know if you plan to use your own Patient Administration System (PAS) or the NHSE test PAS

We will review your form and let you know if your request has been approved. We may also ask for additional information.

If approved, we will set you up in the integration environment and notify you by email. You’ll also receive a test data pack, which you’ll need for step 2.3 Provision test data. This process may take up to 10 working days.

2.22 Performance testing

We do not provide an environment for performance testing, in line with other NHS APIs. The INT environment has low rate limits to protect them against overuse.

If you need to performance test your integration, we recommend you build stubs to simulate our API.

The data in our test environment is not representative nor at the same scale as production. Do not undertake performance testing against this environment.

2.3 Provision test data

Use the test data we have provided you with at 2.21 Integration testing to test your software in our integration environment.

The test data includes:

patients
GP surgery
NHS trust organisation
NHS trust site

The test data provided here is required to set up test referrals as outlined in section 2.4 Configure e-RS.

2.4 Configure e-RS

In this step, you will be required to familiarise yourself with the e-RS application.

Whether you are integrating as a referrer or a provider, you will have to play both roles to configure and set up test referral data in e-RS.

Additional guidance and implementation resources can be found in our document library.

2.41 Set up test services

To start creating referrals you will first require test services in the e-RS web-based application.

You can access the e-RS application using this URL: https://int-ers.nhs.uk. You will need to log-in with an INT smartcard, security key or another supported authenticator option.

Follow this detailed guide for creating services in the INT environment.

2.42 Test PAS

If you are intending to use directly bookable services, you will require a PAS to supply appointment slots to e-RS. The ITOC team can create these for you with a test PAS, if you do not have your own. You will have indicated your requirement for a test PAS on the form you completed at 2.21 Integration testing.

Once you have set up your test services, please email the ITOC team ([email protected]) and provide them with your test service IDs so they can create slots against them for you.

Please note that beyond creating appointment slots, we do not offer any support for PAS issues or config changes. Use of the test PAS is at your own risk. NHS England will not accept responsibility for missed test schedules.

2.43 Set up referrals

You will need to create test referrals in order to carry out your tests.

We recommend starting section 2.6 Request the Supplier Conformance Assessment List (SCAL), while completing this stage.

2.5 Review our cyber requirements

You must ensure your software meets NHS security standards and allow enough time for review, follow-up, and issue resolution before go-live.

The guidance for undertaking a penetration test and the follow-up review with NHS England is below.

2.51 Conduct a penetration test through a CHECK accredited vendor

Your test must include, but is not limited to:

API Endpoints – All public and internal endpoints
Authentication – OAuth 2.0, API keys, JWTs
Input Validation – SQL injection, XSS, SSRF
Rate Limiting & Throttling – Protection against abuse and DoS attacks
Data Exposure – No sensitive information in responses, logs, or errors
Authorisation – Role-based access control (RBAC) checks
Error Handling – No system or stack trace leakage
Session Management – Secure token handling, expiry, logout
Logging & Monitoring – Security-relevant events should be logged
Third-party Integrations – Any connected services must be included in scope
Compliance – DSP Toolkit, UK GDPR, and NHS data standards
Documentation Review – Hidden or undocumented features

2.52 Submit a security test report or summary of your testing

Your report must describe which areas required testing and include the following for each finding:

Finding Title: for example, “SQL Injection on /login”
Severity: Critical/High/Medium/Low
Description: What the issue is and its potential impact
Recommended Remediation: Clear, actionable fix
Affected Assets / URLs: Systems, endpoints, or IPs
CVSS Score: If applicable

2.53 Allow time for NHS review

The Cyber team will aim to review your submission within 5 working days following the initial assurance team review. This may take longer.

A follow-up call or clarification may be required.

Please factor this into your go-live plan. Allow time for any required fixes and assurance discussions.

2.54 Vulnerability remediation timelines

The SCAL outlines information on vulnerabilities and expected remediation. Please refer to this document for further guidance.

2.55 Additional guidance for existing partners

If you are an existing integration partner and plan to:

Add new API endpoints
Introduce new functionality, or
Make changes that significantly alter the security posture or attack surface of your solution

You must consider the potential impact of those changes and follow this process. We will assess the scope and agree appropriate next steps with you, which may include:

Additional security testing
Submission of a revised test report
Review of new endpoints or logic

This is especially important if the changes increase exposure to external systems, handle new types of sensitive data, or modify authentication and authorisation logic.

2.56 Go live planning

Do not schedule your go live immediately after submitting your report.

Allow time for:

a NHS review
issue resolution
clarification or escalation calls

Ensure your internal teams are available to act on feedback promptly.

2.6 Request the Supplier Conformance Assessment List (SCAL)

2.61 What is the SCAL?

The SCAL is a document that asks for information about your product. It helps ensure your software is safe, secure and meets information governance and clinical standards.

It is an Excel spreadsheet with three tabs. The first tab 'Supplier product information' is common across all NHS onboarding service, the remaining requirements are specific to e-RS FHIR API.

Each SCAL is unique to:

your product
the NHS service you are integrating with

Many sections of the SCAL can be completed in parallel to your own internal testing.

We recommended that you familiarise yourself with the SCAL as early in the process as possible. You can access the latest SCAL as part of the design stage.

During assurance, we may ask you to complete the uplifted version of the SCAL, if we introduce updates or new requirements. You can access the SCAL change log for further detail.

2.62 Request and review the SCAL

The SCAL document is tailored to your integrated software if:

your product uses several NHS England APIs or services - you’ll have a single SCAL that covers them all
you have more than one product - you need a separate SCAL for each product

To get an appropriate SCAL template for your product, request the SCAL from the e-RS Solution Assurance team at [email protected].

The e-RS Solution Assurance team will either create a new SCAL template for you, or find your existing SCAL, and add the latest version of the e-RS requirements tabs on to your existing SCAL.

Review and complete the SCAL and send an email to [email protected] indicating when you expect to be ready for witness testing.

2.7 Build your software

You now have everything you need to start building your software, complete module, system, and integration testing, then progress into the assurance stage.

Contact us

Get support on integrating with our API by checking out our developer community.

You can:

search and find answers to your query
post your own questions
join a community of professionals with similar objectives

Last edited: 4 March 2026 1:37 pm