# Authorizing incoming requests

|||
|-----|-----|
|Version|2025-07-04|
|Status|draft|

## Introduction
This technical agreement descibes how incoming requests must be authorized in the context of data exchanges.

## Agreements

### Decision 1
Authorization rules are technically defined using access policies written in Rego.

### Rationale
1. Rego makes access policies readable for both humans and machines.

### Decision 2
Parties are free to choose their own way to implement a Policy Decision Point (PDP).

### Rationale
1. Open source software for implementing a PDP is available (PDP) but parties are free to implement access policies in another way.