Skip to main content
POST
/
access-records
curl --request POST \
  --url https://api.central.consent/v1/access-records \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "record-metadata": {
    "schema-version": "1.0",
    "controller": {
      "name": "Bright Energy Ltd",
      "contact-url": "https://bright-energy.com/contact",
      "address": {
        "addressLine1": "10 Canary Wharf",
        "townCity": "London",
        "postcode": "E14 5AB"
      }
    },
    "pii-principal": {
      "mpxn": "1234567890123",
      "move-in-date": "2022-06-30",
      "address": {
        "addressLine1": "221B Baker Street",
        "townCity": "London",
        "postcode": "NW1 6XE"
      }
    }
  },
  "notice": {
    "terms-url": "https://bright-energy.com/privacy-v3.html",
    "notice-version": "v3.2",
    "notice-language": "en"
  },
  "processing": {
    "legal-basis": "uk-consent",
    "purpose": "Energy efficiency analysis and tariff recommendations",
    "data-types": [
      "HH-CONSUMPTION",
      "HH-EXPORT"
    ],
    "privacy-rights-url": "https://bright-energy.com/your-rights"
  },
  "access-event": {
    "state": "ACTIVE",
    "registered-at": "2023-11-07T05:31:56Z",
    "expiry": "2027-11-10T17:07:01.580Z",
    "controller-reference": "REF-00123",
    "consent": {
      "consent-type": "expressed-consent",
      "method": "Explicit web checkbox",
      "expressed-by": "data-subject",
      "principal-verification": {
        "method": "credit-card",
        "verified-at": "2023-11-07T05:30:45Z",
        "outcome": "verified",
        "reference": "ch_3ABC123xyz",
        "submitted": "XXXX-XXXX-XXXX-4242",
        "verified-against": "Stripe customer record cus_ABC123",
        "detail": {
          "last4": "4242",
          "brand": "visa",
          "stripe_customer": "cus_ABC123"
        }
      }
    }
  }
}
'
{
  "response": {
    "resource": "/v1/access-records/ak_691df0c788ca043403b7fa90",
    "timestamp": "2026-03-11T12:00:00Z",
    "transaction-id": "tid_691df0c788ca043403b7fa90"
  },
  "access-token": {
    "key": "ak_691df0c788ca043403b7fa90",
    "expiry": "2027-11-10T17:07:01.580Z"
  }
}

Authorizations

Authorization
string
header
required

JWT from GET /auth/token. Pass as Authorization: Bearer <token>. Expires after 7200s.

Query Parameters

ak
string

Supply to update an existing access record. The record identified by this key will be replaced with the submitted payload.

Unique opaque identifier for an access record, issued by the register on creation. Treat as a secret — possession enables access verification.

Pattern: ^ak_[0-9a-f]{24}$
Example:

"ak_691df0c788ca043403b7fa90"

Body

application/json

An AccessRecord. All legal bases use this same schema.

A data access record covering all lawful bases. The same schema is used regardless of processing.legal-basis. The notice field and access-event.consent sub-object are null for non-consent records and populated for consent records.

record-metadata
object
required

ISO 27560 Section 1 — Record Metadata

record-identifier and created-at are assigned by the register on creation and returned in responses; they must not be supplied in request bodies.

notice
object
required

Populated for consent-based records; null for all other legal bases.

processing
object
required

ISO 27560 Section 3 — Processing Fields

Defines the scope and legal basis of data access. legal-basis and privacy-rights-url are required for all record types.

For legitimate interests records, lia-reference should be supplied — its absence is valid but indicates an incomplete audit trail.

For public task or legal obligation records, statutory-reference should be supplied identifying the specific legislation or regulatory condition authorising access.

access-event
object
required

ISO 27560 Section 4 — Access Event Fields

Records when access was registered, its lifecycle state and duration, and (for consent records) the specific details of how consent was expressed.

registered-at serves as the canonical event timestamp for all record types — for consent records it is the date the customer gave consent; for non-consent records it is the date the Controller registered their access.

revoked-at is set by the register on revocation and must not be supplied in request bodies.

Response

Existing access record updated successfully (when ak supplied).

response
object
required
access-token
object
required

The access token issued on successful registration. Pass to Data Providers to enable access verification.

Last modified on March 11, 2026