Skip to main content

Authorizing incoming requests

Version 2025-07-04
Status draft

Introduction

This technical agreement descibes how incoming requests must be authorized in the context of data exchanges.

Agreements

Decision 1

Authorization rules are technically defined using access policies written in Rego.

Rationale

  1. Rego makes access policies readable for both humans and machines.

Decision 2

Parties are free to choose their own way to implement a Policy Decision Point (PDP).

Rationale

  1. Open source software for implementing a PDP is available (PDP) but parties are free to implement access policies in another way.