Skip to content

API Guide

Martin Ballhatchet edited this page Jun 29, 2020 · 43 revisions

API Guide

Status: Work In Progress
  1. Introduction
    1. What is the Book a Secure Move API?
    2. What is this guide?
    3. Who is it for?
    4. How should this guide be used?
    5. Other resources
  2. Definitions
    1. Words used in this guide and the API
    2. Entity relationship diagram
    3. Entity explanation
  3. Architecture of the API
    1. Diagram
    2. Security
    3. JSON API
    4. HTTP Return Codes
    5. Resilience
  4. Uses cases with guidance
    1. Receive a Requested Booking and act upon it
    2. Search for a Person
    3. Create a booking
    4. Redirect in-progress move
    5. (Log a journey)
    6. ...

Introduction

This is a guide to using the Book A Secure Move API.

What is the Book a Secure Move API?

This API is part of the solution built in order to create and manage booking requests to transfer people between locations involved in the justice system. In particular, this API allows suppliers to interact with the booking system, and supports the front-end application (see https://github.com/ministryofjustice/hmpps-book-secure-move-frontend).

What is this guide?

This guide is an explanation of how to use the API to accomplish supplier activities

Who is it for?

This guide is aimed at move suppliers, and in particular the teams responsible for integrating with the Book a Secure Move API

How should this guide be used?

The first few sections of this guide should be read and understood up to the use cases. The use cases will be added to over time, and so readers may choose to only read the detail of each use case at the point of implementation.

Other resources

Swagger spec

Swagger allows you to describe the structure of your APIs so that machines can read them.

The Swagger spec for the current version of the Book a Secure Move API can be found at:- https://api.bookasecuremove.service.justice.gov.uk/api-docs/index.html.

This spec covers the fine-grained detail of each of the methods and data structures available in the API. Consumers are not necessarily expected to implement all of these. The Swagger spec is instead best used as a reference for those methods and data structures that are required to fulfil a need.

Webhook documentation

There are several webhooks that can be configured as part of Book a Secure Move. They are documented here - Webhooks

Source code

The source code for the Book a Secure Move API is publicly available on GitHub at this URL: https://github.com/ministryofjustice/hmpps-book-secure-move-api.

Please see the Readme in that repository for more information.

Definitions

Words used in this guide and the API

Person (and People)

The whole service is designed around moving people safely. The people in this context may be prisoners, detainees, children or a young person. In this guide, we will refer to Person (plural either People or Persons) to refer to whichever of these is being moved.

Move

The unit of reference when booking a location transfer for a Person will be a Move. This could be one of a number of different types of Move (for example Prison to Court, Court to Prison, Prison to Prison, and others), and encapsulates the intended start and end location, regardless of intermediate stops.

Journey

A Journey is a unit of travel from one location to another that forms a part of a Move. There will always be at least one Journey as part of a completed Move, but in some cases more. For example, a Move that takes place over two days will often have a Journey from the pickup location to a holding location, followed by another Journey from the holding location to the destination location.

Location

Each of the Moves and Journeys within the service have a start point and an end point. These are Locations. In this service, every Location is pre-defined (with the exception of some unplanned emergencies), where the reference data comes from NOMIS. Locations are normally Police Stations (Custody Suites), Prisons, Courts, Secure Children's Homes (SCH), Secure Training Centres (STCs) and Young Offender Institutions (YOIs)

Profile

If a Person has multiple Moves over time, the information about that Person may change. In particular, new or changed risks or assessments may become apparent. In order to represent the specific information relevant to a particular Move, we have the concept of a Profile. A Profile is a subset of information about a Person that is related to a particular Move. A Move will always be linked to a single Profile, but it is possible for a Profile to be linked to several Moves (for example, if a person has two Moves on the same day and nothing changes between them).

Events

As part of a Move or a Journey, there may be a need to record that something has happened, or that something has changed. These are captured in this service as Events.

Handover

** not yet handled

Allocation

** to be completed

Property

** to be completed

Tesla

Entity relationship diagram

Entity explanation

** not sure if needed - check after diagram present

Architecture of the API

Diagram

(to include: documents)

Security

There are two elements of the API that have security requirements - the Book a Secure Move API itself, and (optionally) the Webhooks

The API is secured using an API key. These are generated by MoJ, and distributed to suppliers as required. The API key itself is then hashed by MoJ and the hash is stored. It is then not possible to recover the API key from the hash.

For production environments, API keys must be transferred securely. The recommendation is that the suppliers generate a GPG public-private key pair, then send the public key to MoJ, who will generate a securely random string, encrypt with the public key, and send the encrypted key back to the supplier. In addition, MoJ will create a secure hash from the API key and store this. The supplier will decrypt the key using their private key, and it will be sent in an authorisation header. MoJ will take the hash of the sent key and compare it to the one on file.

For production webhook credentials, it would be appropriate to use a similar mechanism.

JSON API

HTTP Return Codes

Versions

Resilience

In order to supply a stable, secure, safe, and reliable service, Suppliers systems will need to be resilient to system outages, and in extreme cases to failover to paper based processes.

Uses cases with guidance

Receive a Requested Booking and act upon it

The flow for this is as follows:-

Search for a Person

Redirect in-progress move

Create a booking

(Log a journey)

Clone this wiki locally