NPA-5880: Pre-prod/int environment Postman collection (#273)

# Pull Request

## 🧾 Ticket Link

<!-- Add the Jira ticket link here -->

https://nhsd-jira.digital.nhs.uk/browse/NPA-5880

---

## 📄 Description/Summary of Changes

<!-- Describe the changes made in this PR. Include the
purpose/scope/impact of the changes -->

- Added Postman collection for INT
- Updated OAS to include INT postman collection button
- Added environment variables file for INT

---

## 🧪 Developer Testing Carried Out

<!-- Describe what tests (automated/unit/manual etc.) have been done for
the ticket. Include: -->
<!-- - Any tests added/updated -->
<!-- - Evidence that each acceptance criterion from the Jira ticket is
met -->

- Ran all Postman collection requests and examples

---

## 🧪 Reviewer Testing Required

<!-- Describe how to test the changes that have been made in the ticket.
Include: -->
<!-- - Testing environment details (e.g. sandbox/local setup) -->
<!-- - Steps to verify the changes -->

- [ ] Check Postman requests
- [ ] Review documentation around Postman collection

---

## ✅ Developer Checklist

<!-- Complete before submitting the PR -->

- [x] PR title follows the format: `NPA-XXXX: <short-description>`
- [x] Branch name follows the convention:
`<type>/NPA-XXXX/<short-description>`
- [x] Commit messages follow the template: `NPA-XXXX:
<short-description>`
- [x] All acceptance criteria from the Jira ticket are addressed
- [x] Automated tests (unit/integration/API/infrastructure etc. tests)
are added or updated
- [x] Assignees and appropriate labels (e.g. `terraform`,
`documentation`) are added

---

## 👀 Reviewer Checklist

<!-- To be completed by the reviewer -->

- [ ] Changes meet the acceptance criteria of the Jira ticket
- [ ] Code is able to be merged (no conflicts and adheres to coding
standards)
- [ ] Sufficient test evidence is provided (manual and/or automated)
- [ ] Infrastructure/operational/build changes are validated (if
applicable)

---

## 🚀 Post-merge

<!-- Actions to complete after merging -->

After merging and deploying changes to the sandbox, Postman collection
or spec examples please run the Run Postman
collection workflow.

This will run the tests within the collection to check that the sandbox
is working as expected once deployed.

Author: ClarksonAdam

postman/INT.postman_environment.json

@@ -0,0 +1,70 @@
+{
+	"id": "22fac400-f932-4ea9-8ef4-86b135cfcea0",
+	"name": "INT",
+	"values": [
+		{
+			"key": "cis2_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "login_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "api_base_url",
+			"value": "https://int.api.service.nhs.uk/validated-relationships/FHIR/R4",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "vrs_api_private_key",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "nhs_developer_account_api_key",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "consent_app_auth_header_value",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "tpp_9674998535_access_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "tpp_9674998454_access_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "emis_9692113698_access_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		},
+		{
+			"key": "emis_9692113612_access_token",
+			"value": "",
+			"type": "secret",
+			"enabled": true
+		}
+	],
+	"color": null,
+	"_postman_variable_scope": "environment",
+	"_postman_exported_at": "2025-12-05T12:22:03.035Z",
+	"_postman_exported_using": "Postman/11.74.2"
+}

postman/README.md

@@ -1,8 +1,18 @@
-# Postman Collection
+# Postman Collections
 
-This folder contains the Postman collection for the API.
+This folder contains the Sandbox and Integration Postman collections for the VRS API.
 
 > [!WARNING]
 > Documentation and links in this file are specific to the maintainers of this repository and are only available to NHS England staff.
 
-To update the Postman collection follow the steps on the [How to update Postman Collection Confluence page](https://nhsd-confluence.digital.nhs.uk/pages/viewpage.action?pageId=874694621)
+## Updating the collections
+
+To update the Postman collections follow the steps on the [How to update Postman Collection Confluence page](https://nhsd-confluence.digital.nhs.uk/pages/viewpage.action?pageId=874694621)
+
+## Integration collection
+
+The 'integration' postman collection includes requests and examples to be used by the VRS team, consumers, and external
+parties to test against our INT environment.
+
+For details on the environment variables and authorization methods required for this environment, please see the Getting
+Started section within the Postman collection itself.

postman/validated_relationship_service.integration.postman_collection.json

@@ -0,0 +1,158 @@
+# How to run Scripts
+
+## First Steps
+
+### Install packages
+
+The tooling we use to manage our packages in poetry so this needs to be installed on your local machine in order to run
+the scripts.
+
+Then run the following command in the scripts directory
+
+```
+poetry install
+```
+
+## Script Specific
+
+### Get CIS2 Access Token for Int Environment
+
+#### Set Environment Variables
+
+You will require the following environment variables in order to run the script:
+
+```
+export APIGEE_ENVIRONMENT=int
+export APPLICATION_CLIENT_ID={application_client_id}
+export APPLICATION_CLIENT_SECRET={application_client_secret}
+```
+
+The values for `APPLICATION_CLIENT_ID` and `APPLICATION_CLIENT_SECRET` can be found on the NHS Developer Account
+portal 'NHS - Proxy Core Services...' environment resource in the Active API keys section.
+
+#### Select an identifier
+
+There are a different levels of authenticator assurance levels eg. AAL3.
+For VRS CIS2 users are only accessible to access selected APIs.
+Please find a list of test users detailed in this page:
+https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/testing-apis-with-our-mock-authorisation-service#test-users-for-cis2-authentication
+This can be used to select your identifier for the next step.
+i.e. 656005750108 to test with a CIS2 user with AAL3 authenticator assurance level.
+
+#### Run the script
+
+Then run the following command in the scripts directory
+
+```
+poetry run python3 get_cis2_access_token_int.py
+```
+
+You will be prompted to "Enter an identifier: "
+
+Enter the identifier selected in previous step eg. 656005750108
+
+In your terminal you should see a response that includes an access token
+
+e.g.
+
+```
+{'access_token': 'EFFs3EeT0SZbF2J14LvM93vVDTaA', 'expires_in': '599', 'refresh_token': 'BDEcXjJI36DJA8Dlw8wS0jCuYJJqC8tK', 'refresh_token_expires_in': '43199', 'refresh_count': '0', 'token_type': 'Bearer'}
+```
+
+### Get NHS Login Access Token for Int Environment
+
+#### Set Environment Variables
+
+You will require the following environment variables in order to run the script:
+
+```
+export APIGEE_ENVIRONMENT=int
+export APPLICATION_CLIENT_ID={application_client_id}
+export APPLICATION_CLIENT_SECRET={application_client_secret}
+```
+
+The values for `APPLICATION_CLIENT_ID` and `APPLICATION_CLIENT_SECRET` can be found on the NHS Developer Account
+portal 'NHS - Proxy Core Services...' environment resource in the Active API keys section.
+
+#### Select an identifier
+
+There are a different identity proofing levels eg. p9.
+For VRS p9 users are only accessible to access selected APIs.
+Please find a list of test users detailed in this page:
+https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/testing-apis-with-our-mock-authorisation-service#test-users-for-nhs-login
+This can be used to select your identifier for the next step.
+i.e. 9912003071 to test with a p9 user.
+
+#### Run the script
+
+Then run the following command in the scripts directory
+
+```
+poetry run python3 get_nhs_login_access_token_int.py
+```
+
+You will be prompted to "Enter an identifier: "
+
+Enter the identifier selected in previous step eg. 9912003071
+
+In your terminal you should see a response that includes an access token
+
+e.g.
+
+```
+{'access_token': 'EFFs3EeT0SZbF2J14LvM93vVDTaA', 'expires_in': '599', 'refresh_token': 'BDEcXjJI36DJA8Dlw8wS0jCuYJJqC8tK', 'refresh_token_expires_in': '43199', 'refresh_count': '0', 'token_type': 'Bearer'}
+```
+
+### Get App Restricted Access Token for Int Environment
+
+Application restricted authentication is when a system is trying to access an API rather than a person. For example the
+Validated Relationship Service (VRS) will need an app restricted access token in order to call the Personal Demographic
+Service (PDS) API.
+https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation#application-restricted-apis
+
+#### Set Environment Variables
+
+You will require the following environment variables in order to run the script:
+
+```
+export APIGEE_ENVIRONMENT=int
+export APPLICATION_CLIENT_ID={vrs_application_client_id}
+export APPLICATION_CLIENT_KID={vrs_application_client_secret}
+export APPLICATION_CLIENT_PRIVATE_KEY={vrs_application_client_private_key}
+```
+
+Note with VRS_CLIENT_PRIVATE_KEY it needs to be wrapped in double quotation marks otherwise there can be formatting
+errors
+
+The values for `APPLICATION_CLIENT_ID` and `APPLICATION_CLIENT_KID` can be found on the NHS Developer Account portal '
+NHS - Proxy Core Services...' environment resource in the Active API keys section.
+
+The `APPLICATION_CLIENT_PRIVATE_KEY` is stored in AWS Secrets Manager. Please contact the VRS team if you don't have AWS
+access to obtain this.
+
+#### Run the script
+
+Then run the following command in the scripts directory
+
+```
+poetry run python3 get_app_access_token_int.py
+```
+
+In your terminal you should see a response that includes an access token
+
+e.g.
+
+```
+{'access_token': 'EFFs3EeT0SZbF2J14LvM93vVDTaA', 'expires_in': '599', 'refresh_token': 'BDEcXjJI36DJA8Dlw8wS0jCuYJJqC8tK', 'refresh_token_expires_in': '43199', 'refresh_count': '0', 'token_type': 'Bearer'}
+```
+
+### Trouble Shooting
+
+If you have issues with the script, a good place to start is to ensure the environment variables are accessible to
+poetry. This can be achieved by installing the poetry dotenv plugin
+
+Run this command
+
+```
+poetry plugin add poetry-dotenv-plugin
+```

… Service Sandbox.postman_collection.json …_service.sandbox.postman_collection.jsonpostman/Validated Relationship Service Sandbox.postman_collection.json renamed to postman/validated_relationship_service.sandbox.postman_collection.json postman/Validated Relationship Service Sandbox.postman_collection.json renamed to postman/validated_relationship_service.sandbox.postman_collection.json

@@ -0,0 +1,19 @@
+from os import getenv
+from pytest_nhsd_apim.identity_service import (
+    ClientCredentialsConfig,
+    ClientCredentialsAuthenticator,
+)
+
+client_id = getenv("APPLICATION_CLIENT_ID")
+kid = getenv("APPLICATION_CLIENT_KID")
+private_key = getenv("APPLICATION_CLIENT_PRIVATE_KEY").replace("\\n", "\n")
+config = ClientCredentialsConfig(
+    environment=getenv("APIGEE_ENVIRONMENT"),
+    identity_service_base_url=f"https://{getenv('APIGEE_ENVIRONMENT')}.api.service.nhs.uk/oauth2-mock",
+    client_id=client_id,
+    jwt_private_key=private_key,
+    jwt_kid=kid,
+)
+
+authenticator = ClientCredentialsAuthenticator(config=config)
+print(authenticator.get_token())

scripts/README.md

@@ -0,0 +1,20 @@
+from os import getenv
+from pytest_nhsd_apim.identity_service import (
+    AuthorizationCodeConfig,
+    AuthorizationCodeAuthenticator,
+)
+
+identifier = str(input("Enter an identifier: "))
+scope = "nhs-cis2"
+config = AuthorizationCodeConfig(
+    environment=getenv("APIGEE_ENVIRONMENT"),
+    identity_service_base_url=f"https://{getenv('APIGEE_ENVIRONMENT')}.api.service.nhs.uk/oauth2-mock",
+    callback_url="https://oauth.pstmn.io/v1/browser-callback",
+    client_id=getenv("APPLICATION_CLIENT_ID"),
+    client_secret=getenv("APPLICATION_CLIENT_SECRET"),
+    scope=scope,
+    login_form={"username": identifier},
+)
+
+authenticator = AuthorizationCodeAuthenticator(config=config)
+print(authenticator.get_token())

scripts/get_app_access_token_int.py

@@ -0,0 +1,20 @@
+from os import getenv
+from pytest_nhsd_apim.identity_service import (
+    AuthorizationCodeConfig,
+    AuthorizationCodeAuthenticator,
+)
+
+identifier = str(input("Enter an identifier: "))
+scope = "nhs-login"
+config = AuthorizationCodeConfig(
+    environment=getenv("APIGEE_ENVIRONMENT"),
+    identity_service_base_url=f"https://{getenv('APIGEE_ENVIRONMENT')}.api.service.nhs.uk/oauth2-mock",
+    callback_url="https://oauth.pstmn.io/v1/browser-callback",
+    client_id=getenv("APPLICATION_CLIENT_ID"),
+    client_secret=getenv("APPLICATION_CLIENT_SECRET"),
+    scope=scope,
+    login_form={"username": identifier},
+)
+
+authenticator = AuthorizationCodeAuthenticator(config=config)
+print(authenticator.get_token())