[ERSSUP-89265]-[]-[Adding OAS file changes for app-restricted Accept Referral access]-[JW]

nhsd-jack-wainwright · nhsd-jack-wainwright · commit 148e3923f98c · 2025-07-24T17:25:15.000+01:00
diff --git a/specification/components/stu3/schemas/endpoints/a013-accept-referral.yaml b/specification/components/stu3/schemas/endpoints/a013-accept-referral.yaml
@@ -6,11 +6,18 @@ description: |
 
   ## Supported security patterns
   - Healthcare worker, user-restricted access
+  - Application-restricted, unattended access
 
   ## Pre-requisites
+  ### Healthcare worker, user-restricted access
   In order to use this endpoint you must be an authenticated e-RS user and use one of the following e-RS roles:
     - `SERVICE_PROVIDER_CLINICIAN`
     - `SERVICE_PROVIDER_CLINICIAN_ADMIN`
+
+  ### Application-restricted, unattended access
+  In order to use this endpoint you must be an authenticated e-RS calling application, working in the context of a Service Provider Organisation.
+
+  To access this endpoint in application-restricted, unattended mode, you will be required to submit your use case for review.
   
   ## Important notes
   
diff --git a/specification/e-referrals-service-api.yaml b/specification/e-referrals-service-api.yaml
@@ -67,7 +67,11 @@ info:
     This access mode has been introduced to allow a Partner application which has been [registered with us](https://portal.developer.nhs.uk/create-a-developer-account) and [authenticated via signed JWT](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication) to interact with a subset of e-RS FHIR API endpoints in an unattended and read-only fashion.
     Application-restricted, unattended access should only be used when authenticating a human user (for example via smartcard) is not possible.
 
-    Write operations are currently only supported by [[HYPERLINK_A028]] for non-clinical use cases. You will be required to submit your use case for review when using this endpoint via application-restricted, unattended access.
+    Write operations are currently only supported for specific use cases via:
+    - [[HYPERLINK_A028]]
+    - [[HYPERLINK_A013]]
+
+    You will be required to submit your use case for review when using this endpoint via application-restricted, unattended access.
 
     ##### Healthcare worker, user-restricted access
 
@@ -122,6 +126,7 @@ info:
       - [[HYPERLINK_A006]]
       - [[HYPERLINK_A007]]
       - [[HYPERLINK_A008]]
+      - [[HYPERLINK_A013]]
       - [[HYPERLINK_A024]]
       - [[HYPERLINK_A025]]
       - [[HYPERLINK_A028]]
