Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

[ARCHIVE] What is the expectation for an unauthenticated call? Follow

Avatar
Jarryd
  • Created:
  • Last edited:
  • Updated
Archived 2024-05-08. Content moved to CDS Guide, Guidance on Client Authentication

Question

The specifications state that the x-fapi-customer-ip-address is "Not to be included for unauthenticated calls."

The customer's original IP address if the customer is currently logged in to the data recipient. The presence of this header indicates that the API is being called in a customer present context. Not to be included for unauthenticated calls.

It does not prefix with the Not to be included with a MUST or SHOULD.

If a Third Party Provider makes a call to the Get Product API and they send the x-fapi-customer-ip-address should this request be rejected or can we lenient to the caller and ignore this IP address and process the request and return the relevant data.

Answer

The intent of the x-fapi-customer-ip-address header is for customer-is-present calls - in other words, the consumer is logged in and is in attendance (using the Accredited Data Recipient application) when the call is made.

Please note: update to the answer below

The presence of the header denotes that the consumer is present when the call is made and if the ADR software product sends the header it should be ignored not rejected.

The reason it doesn't apply for unauthenticated endpoints (and the other x-fapi headers) is because they are public APIs that do not apply to the FAPI profile.

See GitHub issue 250

Comments

0 comments

Article is closed for comments.