CIS2 Authentication

Use this integration to access Care Identity Service (CIS) - the national service for verifying the identity of healthcare workers in England, such as NHS staff, when they access national clinical information systems. You can also get basic profile information about these end users.

You can authenticate the healthcare workers using a range of authenticators, including:

• smartcards
• Windows Hello
• passkeys
• security keys, including YubiKeys
• iPads
• Microsoft Authenticator
• NHS.net Connect

For more details, see CIS2 Authentication.

This integration can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.

You must do this before you can go live (see 'Onboarding' below).

CIS2 Authentication replaces the following API:

• CIS1 Authentication (Spine Security Broker) API - use this API to provide sign-on for healthcare workers using NHS smartcards

The following API is related to CIS2 Authentication:

• Spine Directory Service - LDAP API - use this API to access details of healthcare workers, including their organisation and roles that are registered in the Spine Directory Service (SDS) using our LDAP API

The following integration is similar to CIS2 Authentication:

• NHS login - use this integration to access multiple digital health and social care services with a single login for patients and the public, including authentication for returning users

This integration is in production.

This integration is a platinum service, meaning:

• it is operational and supported 24 hours a day, 365 days a year
• it has an availability of 99.9% in supported hours

For more details, see service levels.

This integration uses OpenID Connect 1.0 (OIDC) authentication standard which is a simple identity layer on top of the OAuth 2.0 protocol.

OIDC uses a combination of an API and user interface integration.

For more details, see NHS Care Identity Service 2 guidance for developers. 

This integration is available on the internet and, indirectly, on the Health and Social Care Network (HSCN).

For more details see Network access for APIs.

The security model for this integration conforms to OpenID Connect 1.0 (OIDC).

For security and authentication details, see the guidance on client authentication credentials.

For detailed guidance on NHS CIS2 environments and testing, see Onboard to CIS2 Authentication.

You need to get your software approved before it can go live with this integration. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.

For details, see Onboard to CIS2 Authentication.

For details of CIS2 Authentication interactions, see CIS2 Authentication guidance for developers.