Skip to main content
PUT
/
access-records
/
{ak}
Replace an Access Record
curl --request PUT \
  --url https://api.central.consent/v1/access-records/{ak} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "record-metadata": {
    "schema-version": "1.0",
    "controller-arrangement": {
      "arrangement-type": "sole",
      "controllers": [
        {
          "name": "Bright Energy Ltd",
          "role": "sole",
          "contact-url": "https://bright-energy.com/contact",
          "privacy-rights-url": "https://bright-energy.com/your-rights",
          "lia-reference": "LIA-2024-003",
          "statutory-reference": "Energy Act 2023, s.147"
        }
      ],
      "art26-reference": "JCA-2024-BrightGrid-001"
    },
    "identity-record-ref": "ir_a3c5e7f9b1d3a3c5e7f9b1d3"
  },
  "notice": {
    "notices": [
      {
        "controller-name": "Grid Analytics Ltd",
        "terms-url": "https://gridanalytics.com/privacy-v2.html",
        "notice-version": "v2.0",
        "notice-language": "en"
      }
    ]
  },
  "processing": {
    "legal-basis": "uk-consent",
    "purpose": "Energy efficiency analysis and tariff recommendations",
    "data-types": [
      "HH-CONSUMPTION"
    ],
    "data-source": "National Grid ESO / MPAS",
    "recipients": [
      {
        "name": "Analytics Co Ltd",
        "role": "Sub-processor",
        "privacy-url": "https://analyticsco.com/privacy"
      }
    ]
  },
  "access-event": {
    "state": "ACTIVE",
    "registered-at": "2023-11-07T05:31:56Z",
    "expiry": "2027-11-10T17:07:01.580Z",
    "controller-reference": "REF-00123"
  },
  "reidentification-token": "<string>"
}
'
{
  "response": {
    "resource": "/v1/access-records/ak_691df0c788ca043403b7fa90",
    "timestamp": "2026-03-11T12:00:00Z",
    "transaction-id": "tid_691df0c788ca043403b7fa90"
  },
  "access-token": {
    "key": "ak_691df0c788ca043403b7fa90",
    "expiry": "2023-11-07T05:31:56Z"
  }
}

Authorizations

Authorization
string
header
required

JWT from GET /auth/token. Pass as Authorization: Bearer <token>. Expires after 7200s.

Path Parameters

ak
string
required

The access key of the record to replace. Unique opaque identifier for an access record, issued by the register on creation. Treat as a secret — possession enables access verification.

Pattern: ^ak_[0-9a-f]{24}$
Example:

"ak_691df0c788ca043403b7fa90"

Body

application/json

Full AccessRecord replacement payload.

A data access record covering all lawful bases. The same schema is used regardless of processing.legal-basis. The notice field and access-event.consent sub-object are null for non-consent records and populated for consent records.

record-metadata
object
required

ISO 27560 Section 1 — Record Metadata

record-identifier and created-at are assigned by the register on creation and returned in responses; they must not be supplied in request bodies.

identity-record-ref links this access record to the Identity Record that holds the person-property relationship (PII principal, move-in date, address, and identity verification evidence). Supply the ir key returned when the Identity Record was created. The linked Identity Record must have been registered by the same authenticated Data User.

identity-record-ref is required when registering a new Access Record in the standard flow. It may be omitted when a reidentification-token is supplied in the POST /access-records request body — the register resolves the ir internally from the validated token.

notice
object
required

Populated for consent-based records; null for all other legal bases.

processing
object
required

ISO 27560 Section 3 — Processing Fields

Defines the shared scope and legal basis of data access. These fields apply to the access registration as a whole regardless of how many controllers are involved.

Per-controller compliance fields — privacy-rights-url, lia-reference, statutory-reference, and storage-conditions — are held on each Controller entry within record-metadata.controller-arrangement, where each controller bears individual accountability.

legal-basis applies to all controllers in the arrangement. For joint arrangements, all controllers must share the same legal basis — if purposes or bases differ, separate Access Records are required.

access-event
object
required

ISO 27560 Section 4 — Access Event Fields

Records when access was registered, its lifecycle state and duration, and (for consent records) the specific details of how consent was expressed.

registered-at serves as the canonical event timestamp for all record types — for consent records it is the date the customer gave consent; for non-consent records it is the date the Controller registered their access.

revoked-at is set by the register on revocation and must not be supplied in request bodies.

consent is required when legal-basis is uk-consent or uk-explicit-consent. It must be omitted or null for all other legal bases (uk-public-task, uk-legitimate-interests, uk-legal-obligation, uk-contract).

reidentification-token
string | null

Cross-DUID only. A confirmed token-ref obtained via POST /identity-records/reidentify. When supplied, identity-record-ref in record-metadata must be omitted — the register resolves the ir internally. The token is single-use, scoped to the initiating Data User, and expires one hour after issuance.

Response

Access record replaced successfully.

response
object
required
access-token
object
required

The access token issued on successful registration. Pass to Data Providers to enable access verification.

Last modified on March 25, 2026