NHSDigital · Ian-Hodges · Mar 18, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/docs/adr/assets/ADR-003/examples/python/requirements.txt b/docs/adr/assets/ADR-003/examples/python/requirements.txt
@@ -1,2 +1,2 @@
-PyJWT==2.8.0
+PyJWT==2.12.0
 requests==2.32.4
diff --git a/docs/package-lock.json b/docs/package-lock.json
@@ -18,14 +18,15 @@ No requirements.
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_aws_account_type"></a> [aws\_account\_type](#input\_aws\_account\_type) | The AWS Account Type | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"dl"` | no |
+| <a name="input_core_notify_include_auth_header"></a> [core\_notify\_include\_auth\_header](#input\_core\_notify\_include\_auth\_header) | Whether to send auth tokens with core notify API calls. | `bool` | `true` | no |
 | <a name="input_core_notify_url"></a> [core\_notify\_url](#input\_core\_notify\_url) | The URL used to send requests to Notify | `string` | `"https://sandbox.api.service.nhs.uk"` | no |
 | <a name="input_default_cloudwatch_event_bus_name"></a> [default\_cloudwatch\_event\_bus\_name](#input\_default\_cloudwatch\_event\_bus\_name) | The name of the default cloudwatch event bus. This is needed as GuardDuty Scan Result events are sent to the default bus | `string` | `"default"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_dynamodb_delete_protection"></a> [enable\_dynamodb\_delete\_protection](#input\_enable\_dynamodb\_delete\_protection) | Enable DynamoDB Delete Protection on all Tables | `bool` | `true` | no |
 | <a name="input_enable_event_anomaly_detection"></a> [enable\_event\_anomaly\_detection](#input\_enable\_event\_anomaly\_detection) | Enable CloudWatch anomaly detection alarm for core notifier queue message reception | `bool` | `true` | no |
 | <a name="input_enable_event_cache"></a> [enable\_event\_cache](#input\_enable\_event\_cache) | Enable caching of events to an S3 bucket | `bool` | `true` | no |
 | <a name="input_enable_mock_mesh"></a> [enable\_mock\_mesh](#input\_enable\_mock\_mesh) | Enable mock mesh access (dev only). Grants lambda permission to read mock-mesh prefix in non-pii bucket. | `bool` | `false` | no |
-| <a name="input_enable_pdm_mock"></a> [enable\_pdm\_mock](#input\_enable\_pdm\_mock) | Flag indicating whether to deploy PDM mock API (should be false in production environments) | `bool` | `true` | no |
+| <a name="input_enable_pdm_mock"></a> [enable\_pdm\_mock](#input\_enable\_pdm\_mock) | Flag indicating whether to deploy PDM mock API (should be false in production environments) | `bool` | `false` | no |
 | <a name="input_enable_sns_delivery_logging"></a> [enable\_sns\_delivery\_logging](#input\_enable\_sns\_delivery\_logging) | Enable SNS Delivery Failure Notifications | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_event_anomaly_band_width"></a> [event\_anomaly\_band\_width](#input\_event\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `3` | no |
@@ -42,8 +43,6 @@ No requirements.
 | <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"rate(5 minutes)"` | no |
 | <a name="input_metadata_refresh_schedule"></a> [metadata\_refresh\_schedule](#input\_metadata\_refresh\_schedule) | Schedule for refreshing reporting metadata. | `string` | `"cron(10 6-22 * * ? *)"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
-| <a name="input_pdm_mock_access_token"></a> [pdm\_mock\_access\_token](#input\_pdm\_mock\_access\_token) | Mock access token for PDM API authentication (used in local/dev environments) | `string` | `"mock-pdm-token"` | no |
-| <a name="input_pdm_use_non_mock_token"></a> [pdm\_use\_non\_mock\_token](#input\_pdm\_use\_non\_mock\_token) | Whether to use the shared APIM access token from SSM (/component/environment/apim/access\_token) instead of the mock token | `bool` | `false` | no |
 | <a name="input_pii_data_retention_non_current_days"></a> [pii\_data\_retention\_non\_current\_days](#input\_pii\_data\_retention\_non\_current\_days) | The number of non current days for data retention policy for PII | `number` | `14` | no |
 | <a name="input_pii_data_retention_policy_days"></a> [pii\_data\_retention\_policy\_days](#input\_pii\_data\_retention\_policy\_days) | The number of days for data retention policy for PII | `number` | `534` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_deployment" "pdm_mock" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   depends_on = [
     aws_api_gateway_integration.create_document_reference,

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_integration" "create_document_reference" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   resource_id = aws_api_gateway_resource.document_reference[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_integration" "get_document_reference" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   resource_id = aws_api_gateway_resource.document_reference_id[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_method" "create_document_reference" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id   = aws_api_gateway_rest_api.pdm_mock[0].id
   resource_id   = aws_api_gateway_resource.document_reference[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_method" "get_document_reference" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id   = aws_api_gateway_rest_api.pdm_mock[0].id
   resource_id   = aws_api_gateway_resource.document_reference_id[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_resource" "document_reference" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   parent_id   = aws_api_gateway_resource.r4[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_resource" "document_reference_id" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   parent_id   = aws_api_gateway_resource.document_reference[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_resource" "fhir" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   parent_id   = aws_api_gateway_resource.patient_data_manager[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_resource" "patient_data_manager" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   parent_id   = aws_api_gateway_rest_api.pdm_mock[0].root_resource_id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_resource" "r4" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   rest_api_id = aws_api_gateway_rest_api.pdm_mock[0].id
   parent_id   = aws_api_gateway_resource.fhir[0].id

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_rest_api" "pdm_mock" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   name        = "${var.project}-${var.environment}-pdm-mock"
   description = "PDM Mock API for testing integration with Patient Data Manager"

@@ -1,5 +1,5 @@
 resource "aws_api_gateway_stage" "pdm_mock" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   deployment_id = aws_api_gateway_deployment.pdm_mock[0].id
   rest_api_id   = aws_api_gateway_rest_api.pdm_mock[0].id

@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_log_group" "pdm_mock_gateway" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   name              = "/aws/apigateway/${var.project}-${var.environment}-pdm-mock"
   retention_in_days = var.log_retention_in_days

@@ -1,5 +1,5 @@
 resource "aws_lambda_permission" "pdm_mock_gateway" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   statement_id  = "AllowAPIGatewayInvoke"
   action        = "lambda:InvokeFunction"

@@ -4,7 +4,8 @@ locals {
   apim_keystore_s3_bucket              = "nhs-${var.aws_account_id}-${var.region}-${var.environment}-${var.component}-static-assets"
   apim_private_key_ssm_parameter_name  = "/${var.component}/${var.environment}/apim/private_key"
   aws_lambda_functions_dir_path        = "../../../../lambdas"
-  deploy_pdm_mock                      = var.enable_pdm_mock
+  pdm_access_token_ssm_parameter_name  = var.enable_pdm_mock ? "" : local.apim_access_token_ssm_parameter_name
+  pdm_url                              = var.enable_pdm_mock ? aws_api_gateway_stage.pdm_mock[0].invoke_url : var.apim_base_url
   firehose_output_path_prefix          = "kinesis-firehose-output"
   log_destination_arn                  = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
   mock_mesh_endpoint                   = "s3://${module.s3bucket_non_pii_data.bucket}/mock-mesh"

@@ -36,7 +36,7 @@ module "core_notifier" {
 
   lambda_env_vars = {
     "APIM_BASE_URL"                        = var.core_notify_url
-    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.apim_access_token_ssm_parameter_name
+    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = var.core_notify_include_auth_header ? local.apim_access_token_ssm_parameter_name : ""
     "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
     "ENVIRONMENT"                          = var.environment

@@ -37,7 +37,7 @@ module "file_scanner" {
   lambda_env_vars = {
     "DOCUMENT_REFERENCE_BUCKET"     = module.s3bucket_pii_data.bucket
     "UNSCANNED_FILES_BUCKET"        = local.unscanned_files_bucket
-    "UNSCANNED_FILES_PATH_PREFIX"   = var.environment
+    "UNSCANNED_FILES_PATH_PREFIX"   = local.csi
     "EVENT_PUBLISHER_EVENT_BUS_ARN" = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"       = module.sqs_event_publisher_errors.sqs_queue_url
   }

@@ -1,5 +1,5 @@
 module "pdm_mock" {
-  count  = local.deploy_pdm_mock ? 1 : 0
+  count  = var.enable_pdm_mock ? 1 : 0
   source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip"
 
   function_name = "pdm-mock"
@@ -37,7 +37,7 @@ module "pdm_mock" {
 }
 
 data "aws_iam_policy_document" "pdm_mock" {
-  count = local.deploy_pdm_mock ? 1 : 0
+  count = var.enable_pdm_mock ? 1 : 0
 
   statement {
     sid    = "KMSPermissions"

@@ -35,8 +35,8 @@ module "pdm_poll" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    "APIM_BASE_URL"                        = local.deploy_pdm_mock ? aws_api_gateway_stage.pdm_mock[0].invoke_url : var.apim_base_url
-    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.apim_access_token_ssm_parameter_name
+    "APIM_BASE_URL"                        = local.pdm_url
+    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.pdm_access_token_ssm_parameter_name
     "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
     "POLL_MAX_RETRIES"                     = 10

@@ -35,8 +35,8 @@ module "pdm_uploader" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    "APIM_BASE_URL"                        = var.apim_base_url
-    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.apim_access_token_ssm_parameter_name
+    "APIM_BASE_URL"                        = local.pdm_url
+    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.pdm_access_token_ssm_parameter_name
     "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
   }

@@ -2,9 +2,8 @@ resource "aws_ssm_parameter" "access_token" {
   name        = local.apim_access_token_ssm_parameter_name
   description = "Access token for APIM"
   type        = "SecureString"
-  value = jsonencode({
-    tokens = []
-  })
+  value       = jsonencode({})
+
   tags = merge(local.default_tags, { Backup = "true" })
 
   lifecycle {

@@ -122,18 +122,6 @@ variable "ttl_poll_schedule" {
   default     = "rate(10 minutes)" # Every 10 minutes
 }
 
-variable "pdm_mock_access_token" {
-  type        = string
-  description = "Mock access token for PDM API authentication (used in local/dev environments)"
-  default     = "mock-pdm-token"
-}
-
-variable "pdm_use_non_mock_token" {
-  type        = bool
-  description = "Whether to use the shared APIM access token from SSM (/component/environment/apim/access_token) instead of the mock token"
-  default     = false
-}
-
 variable "apim_base_url" {
   type        = string
   description = "The URL used to send requests to PDM"
@@ -146,6 +134,17 @@ variable "core_notify_url" {
   default     = "https://sandbox.api.service.nhs.uk"
 }
 
+variable "core_notify_include_auth_header" {
+  type        = bool
+  description = "Whether to send auth tokens with core notify API calls."
+  default     = true
+
+  validation {
+    condition     = var.environment == "prod" ? var.core_notify_include_auth_header == true : true
+    error_message = "core_notify_include_auth_header must be set to true when environment is 'prod'."
+  }
+}
+
 variable "apim_auth_token_url" {
   type        = string
   description = "URL to generate an APIM auth token"
@@ -178,7 +177,7 @@ variable "force_destroy" {
 variable "enable_pdm_mock" {
   type        = bool
   description = "Flag indicating whether to deploy PDM mock API (should be false in production environments)"
-  default     = true
+  default     = false
 }
 
 variable "aws_account_type" {

@@ -19,15 +19,13 @@ Creates a new PDM DocumentReference.
 
 ```bash
 curl -X POST https://<api-gateway-url>/patient-data-manager/FHIR/R4/DocumentReference \
-  -H "Authorization: Bearer <token>" \
   -H "Content-Type: application/fhir+json" \
   -H "X-Request-ID: 4a0e5f18-1747-4438-ac52-5ba2c21575f5" \
   -d '{}'
 ```
 
 **Headers:**
 
-- `Authorization: Bearer <token>` - Authentication token is not validated and can be any string value.
 - `Content-Type: application/fhir+json` - Required content type.
 - `X-Request-ID: <UUID>` - This uuid will be used as the DocumentReference `id` in the response.
 
@@ -69,14 +67,12 @@ Retrieves a specific PDM DocumentReference by ID.
 
 ```bash
 curl https://<api-gateway-url>/patient-data-manager/FHIR/R4/DocumentReference/test-id \
-  -H "Authorization: Bearer <token>" \
   -H "Content-Type: application/fhir+json" \
   -H "X-Request-ID: 848b67ea-eeaa-3620-a388-e4e8594ff2e3"
 ```
 
 **Headers:**
 
-- `Authorization: Bearer <token>` - Authentication token is not validated and can be any string value.
 - `Content-Type: application/fhir+json` - Required content type.
 - `X-Request-ID: <uuid>` - Used for request tracking and correlation. This isn't part of the ID or response that gets returned.