Authorizing incoming requests

Version 
 2025-07-04 
 
 
 Status 
 draft 
 
 
 
 Introduction 
 This technical agreement descibes how incoming requests must be authorized in the context of data exchanges. 
 Agreements 
 Decision 1 
 Authorization rules are technically defined using access policies written in Rego. 
 Rationale 
 
 Rego makes access policies readable for both humans and machines. 
 
 Decision 2 
 Parties are free to choose their own way to implement a Policy Decision Point (PDP). 
 Rationale 
 
 Open source software for implementing a PDP is available (PDP) but parties are free to implement access policies in another way.