Archived 2022.11.20. Content moved to error scenarios and responses.
Question
If an API is invoked by an Accredited Data Recipient (ADR), but the consent has been withdrawn or canceled, then which error code should be returned by the Data Holder (DH)? 401 Unauthorised or 403 Forbidden?
Answer
This is covered by the upstream oAuth standards. If the consent has been withdrawn then the refresh token has been revoked and no access token is issued by the Data Holder. This is an authorisation error with a corresponding oAuth error response. A 401 Unauthorised Error with a corresponding oAuth error response should be returned.
Comments
0 comments
Please sign in to leave a comment.