This guidance is for:
NHS Wales organisations requesting access for their teams
NHS Wales organisations sponsoring third-party suppliers that require access
API Portal provides access to our published APIs, including production and other environments (Dev, SIT and UAT). While anyone can view sandbox APIs, sign-in is required to access other environments or register applications.
🔗 Learn more about the API Portal
NHS Wales organisations can request access for their staff directly.
Third-party supplier access must be sponsored by an NHS Wales organisation. The sponsoring NHS Wales organisation must follow the appropriate request process as outlined below on their behalf.
Third-party suppliers cannot request access directly.
If you're a member of an NHS Wales organisation and need access to the API Portal, please email the work email addresses (e.g., NHS email accounts) of the users requiring access to apimanagement@wales.nhs.uk along with details of your use case, the requested API name, and the respective DHCW IMTP milestone reference number.
Before submitting a request, the NHS Wales sponsoring organisation must check which category the supplier falls into. The process depends on this.
Category 1: Supplier name is listed in the DHCW O365 Allow List
If the third-party supplier’s name exists, the sponsoring NHS Wales organisation can email the supplier email addresses to apimanagement@wales.nhs.uk, requesting API Portal access.
Category 2: Supplier name not listed in the DHCW O365 Allow List, but is listed in the Code of Connection List,
If the third-party supplier is not listed in the DHCW O365 Allow List but is listed in the Code of Connection List and the Code of Connection has not expired, an additional step is required before access can be granted.
The NHS Wales organisation must first email DHCW.Securitysubmissions@wales.nhs.uk with the domain name they require added to the DHCW O365 Allow list and include the third-parties name stating they have an in-date Code of Connection and wish to be added to the O365 Allow List.
Once the DHCW Operational Security Team approves this, the sponsoring NHS Wales organisation can then request API Portal access by sending the supplier email addresses with a copy of the DHCW Operational Security team approval email attached to apimanagement@wales.nhs.uk, requesting API Portal access.
*Note: Do not send the supplier’s email addresses requesting access before the DHCW Operational Security Team has confirmed approval. Requests submitted without this approval attached will not be processed.
Category 3: Supplier name not listed in DHCW O365 Allow List or Code of Connection List
If the supplier is not on either list, the NHS Wales Sponsoring organisation must complete the full O365 Allow Listing Domain request process outlined below.
The O365 Allow Listing Domain process must be initiated and submitted by the sponsoring NHS Wales organisation. Requests from third-party suppliers will not be accepted.
Download the Information Security Toolkit - O365 Allow Listing Domain v6.6 and complete it as instructed.
Ensure you read the ‘ReadMe – Allowlisting’ tab within the template first before completing the form.
The completed form should be sent to DHCW.Securitysubmissions@wales.nhs.uk. This will notify the DHCW Operational Security Team of the request.
The DHCW Operational Security Team will review the submission and inform you of the result.
If the DHCW O365 Allow Listing Domain request is approved, the sponsoring NHS Wales organisation can then request API Portal access by sending the supplier email addresses with a copy of the DHCW Operational Security team approval email attached to apimanagement@wales.nhs.uk, requesting API Portal access.
*Note: Do not send the supplier’s email addresses requesting access before the DHCW Operational Security Team has confirmed approval. Requests submitted without this approval attached will not be processed.
Access will be provisioned after validation by the DHCW API Management, that a supplier’s internet domain name is listed in the DHCW O365 Allow List or confirmation is attached that DHCW Operational Security have approved the request. You will receive an email acknowledgement confirming whether access to API Portal has been granted.
Access to the API Portal allows you to sign in, register a new Team, consuming applications, and view the available APIs in Development or SIT environments, but it does not provide access to APIs in UAT or Production environments.
To gain access to UAT or Production API environments, you must complete the full onboarding process as outlined on the Onboarding page.