Question
When a Nominated Representative gives consent, on behalf of a business account, should the tokens issued during authentication relate to the business account, or the Nominated Representative user?.
Answer
The PII claims, such as sub, given_name, and family_name, are related to the authenticated end user, that is, the nominated representative. The Customer API data is related to the business. The resource IDs are bound to the business, not to the nominated representative.
In other words, the accountId for account 12345 should be the same, regardless of the nominated representative establishing consent on behalf of the business. ID Permanence should follow the standards.
See:
Comments
0 comments
Please sign in to leave a comment.