Skip to main content

The Wych Data Holder API enables Data Holder platforms to expose consent and authorisation capabilities through Wych.

This API is designed for server-side integrations where a trusted application needs to authenticate with the Wych platform, work with user-context access tokens, and manage customer consent records.

What you can do with this API

Using this API, you can:

  • discover realm-specific OpenID Connect configuration
  • authenticate your application using OAuth 2.0 client credentials
  • retrieve a user-context access token
  • list active and historical consents
  • retrieve detailed consent information
  • revoke consent when access should no longer be granted

How the API works

The Wych Data Holder API typically follows this flow:

  1. discover the OpenID Connect configuration for the required realm
  2. authenticate your application using its client credentials
  3. retrieve a user-context token where the request needs to act on behalf of a user
  4. list or retrieve consent records
  5. revoke consent when required

Authentication

Protected API requests use a Wych gateway API key.

Depending on the operation, requests may also require one of the following tokens:

  • a client access token, retrieved using the OAuth 2.0 client credentials flow
  • a user-context bearer token, retrieved through token exchange

Use the authentication endpoints to retrieve the correct token before calling protected consent-management endpoints.

Consent records represent the permissions granted by a user to share data with a recipient.

The consent endpoints allow you to:

  • list consent records
  • filter consents by status
  • retrieve the details of a specific consent
  • revoke a consent

Revoking a consent removes the associated data access permissions. Any tokens granted under that consent should no longer be used.

Base URLs

The API uses the following base URLs:

  • https://api.wych.io/v4 for Wych API endpoints
  • https://login.wych.app for identity and OpenID Connect endpoints

Next steps

Start with the API reference for authentication, then use the consent endpoints to retrieve and manage consent records.