Authorizing incoming requests

Version	2025-07-04
Status	draft

Introduction

This technical agreement descibes how incoming requests must be authorized in the context of data exchanges.

Agreements

Decision 1

Authorization rules are technically defined using access policies written in Rego.

Rationale

1. Rego makes access policies readable for both humans and machines.

Decision 2

Parties are free to choose their own way to implement a Policy Decision Point (PDP).

Rationale

1. Open source software for implementing a PDP is available (PDP) but parties are free to implement access policies in another way.