Scopes and claims
| Scope | Claims included | Low level (P0) | Medium level (P5) | High level (P9) |
|---|---|---|---|---|
OpenID Connect requests: openid1 |
• Issuer identifier for the issuer of the response: iss• Partner service identifier: aud• Subject identifier for the user at the issuer: sub |
Yes | Yes | Yes |
User's default profile: profile
|
• NHS number: nhs_number• Surname: family_name• Date of birth: birthdate• Identity proofing level: identity_proofing_level |
No | Yes2 | Yes |
User's basic demographics: basic_demographics3
| • Surname: family_name• Date of birth: birthdate• Identity proofing level: identity_proofing_level |
No | Yes | Yes |
User's additional demographic information: profile_extended |
• First name from PDS: given_name |
No | Yes | Yes |
Email address: email |
• Email address: email• Verified email address: email_verified |
Yes | Yes | Yes |
Phone number: phone |
• Phone number: phone_number• Verified phone number: phone_number_verified• Phone number matched to PDS: phone_number_pds_matched4 |
Yes | Yes | Yes |
Landline number: landline |
• Landline number: landline_number• Verified landline number: landline_number_verified |
Yes | Yes | Yes |
GP registration details: gp_registration_details5 |
• ODS code: gp_ods_code |
No | Yes | Yes |
GP surgery information: gp_integration_credentials |
• Linkage key: gp_linkage_key• ODS code: gp_ods_code• Account ID: gp_user_id |
No | No | Yes6 |
Client specific metadata for the user account: client_metadata7 |
• Client user metadata: client_user_metadata |
Yes | Yes | Yes |
Notes:
- The OpenID scope is a mandatory requirement for all partners.
- NHS number is part of a user’s claimed identity. The user must not be given or presented with the NHS number which has been traced by NHS login. NHS login must have a clear understanding of the use case of the NHS number, and will confirm that the use of this is within the tolerance level of the NHS login service.
- User basic demographics and default profile scopes are mutually exclusive. Both cannot be requested together.
- This claim will be
trueif the phone used for 2FA matches a contact number on PDS. - This scope is not required if the
gp_integration_credentialsscope is requested. - Available only to NHS England IM1 enabled partners and partners connected to IM1 via an approved third party supplier. This does not include GP suppliers’ own Patient Facing Services (PFS) API. The scope is protected by a high level of authentication.
- This is a bespoke scope which should only be selected once agreed by NHS login.
These are not available as claims for NHS login:
- User's gender or sex
- User's post code
- User's address
Scopes and claims perform differently for partners supporting multiple levels of user identity verification and step-up journeys between the different levels of verification. Contact the NHS login onboarding team for more information.
Please refer to the external interface specification Section 3.4.1.1 and Section 3.6.2.1 for further technical details.
Edit this page on GitHub