Skip to main content

Assurance process for APIs and services

Find out how to get assured for an API or service before your software goes live.

Page contents

Overview

To use NHS APIs and services, your organisation must complete our assurance process and have your software approved by us before it can go live. This assurance process covers key areas such as regulations, security, clinical safety, technical standards, and information governance.

Although the assurance process will differ depending on your requirements, the information on this page will help you plan ahead for the main steps.

Our assurance process

We offer online and offline routes for assurance. The requirements are the same for all APIs and services. We intend to move to the online process for everyone, but for now you will be assured using one of the following.

To find out about assurance for a particular API, read its API specification in our API and integration catalogue.

Before you start your application

There are 10 key steps you should know about before starting your assurance application:

1. Confirm your use case

Some APIs and services require you to confirm your product’s purpose. You’ll need to give us details of your product and what it does.

Check the documentation in the API and integration catalogue to see if this applies to you. 

2. Get or confirm your ODS code

The Organisation Data Service (ODS) holds details of all healthcare organisations, including developers. Each one has a unique ODS code, also known as an Application Service Provider (ASP) code.

During the assurance process, your ODS code identifies you either as a developer of a commercial product or as an end user organisation (EUO) developing a product in house.

If you don’t know your ODS code, you can:

3. Check if you need an HSCN connection

Some NHS APIs can be accessed only via the Health and Social Care Network (HSCN), not the internet. Others are internet-accessible but still require HSCN for NHS smartcard access.

In these cases, you’ll need an HSCN connection for:

  • integration testing
  • production use (if you're also an end user organisation)

Check the API specification in our API and integration catalogue to see if HSCN is required.

4. Complete the Data and Security Protection Toolkit

To ensure data is handled securely you must complete the Data and Security Protection Toolkit.

When completing the Toolkit, select your organisation type:

  • NHS business partner: if your system regularly processes patient data (for example a GP system)
  • Company: if your software only has technical access (for example middleware)
5. Manage clinical risk

As a developer of healthcare software, you must have a clinical risk management process that conforms to the DCB0129 standard.

As an end user organisation, you must have a clinical risk management process that conforms to the DCB0160 standard.

Some APIs provide a hazard log for you to review and integrate into your own risk log.

For details on how to do this for a particular API, read its API specification in our API and integration catalogue.

6. Check medical device status

Find out if your product is classed as a medical device. If it is, you must meet legal requirements.

For more details see Medical devices: software applications (apps).

7. Pass technical and security tests
  • Product assurance
    To ensure conformance, you may be required to demonstrate functional and non-functional testing to verify that your product aligns with the API specifications.
    In certain instances, a risk-based approach will be applied, requiring the submission of identified risks along with their mitigations and supporting test evidence
  • Penetration testing
    Prior to deployment, most of our APIs mandate that the connecting system undergoes appropriate penetration testing.
    Instructions for conducting this testing are outlined in the published specifications for each API, available in our API and integration catalogue.
8. Register for support

Sign up with the NHS service desk to get updates and raise live incidents. You’ll need to do this for each API you use.

To register for incident management:

  1. Make sure you have an ODS code (see step 2).
  2. Register with the National Service Desk Customer Portal.
9. Submit your application and sign the connection agreement

Once all the steps are complete, we’ll email your legal signatory with a link to the National Service Desk Customer Portal to review and accept the agreement.

The connection agreement terms are available for review at any stage during the onboarding process. It is strongly recommended that these terms are reviewed early, including the standard terms applicable to all NHS England services, Appendix 1A outlining the 'end user organisation acceptable use policy', and Appendix 2A specifying 'data processing special terms' where applicable.

10. Issue the 'acceptable use policy' and request production access
  • Acceptable use policy
    Appendix 1A of the connection agreement is the ‘end user organisation acceptable use policy’. You must issue it to each end user organisation that will use your product. It sets out their obligations in using your product.
    If you are an end user organisation developing software for your own use, this policy applies to your own organisation.
  • Production access
    You need to request production access for each end user organisation that uses your product. For details on how to do this for a particular API, read its API specification in our API and integration catalogue.

Start assurance

To start your assurance, choose one of the following:

Join our Developer Community

Join our Developer Community

Get support with your integration journey from our Developer Community platform – giving you access to conversations with product teams, services and like-minded API producers and consumers.

To join the Community, first register to get a developer account.

Last edited: 23 February 2026 9:59 am