Consent Engine

Here you find the mapping of part of the infrastructure of the Open Insurance environment: the Consent Engine, whose APIs are responsible for managing customer consent for possible integrations. Its functionalities are:

  • Create a Consent;

  • Validate a Consent;

  • Update the Consent approvers;

  • Update the Consent’s permissions;

  • Authorize a Consent;

  • Reject a Consent;

  • Revoke a Consent;

  • Update the resources of a Consent.

Susep’s official specifications for Consent Engine (in Portuguese).

The Open Insurance Brazil specifies two groups of companies that can participate in the integration ecosystem:

  • Transmitters - Participating companies that share with the Receivers the data that is the object of sharing. Transmitters must provide access to allow registered Receivers to access insurance service information through APIs.

  • Receivers - Participating companies that receive the data to be shared.

Receiver Consent Journey

The Receiver Consent Journey APIs are used by Insurance Companies (ICs) to perform a consent request on behalf of the user at another IC. The Open Insurance requires ICs to integrate and these APIs abstract away the complexity of that integration.

Transmitter Consent Journey

The Transmitter Consent Journey APIs enable the Insurance Companies to receive consent requests and data consumption from other ICs. In addition, they facilitate the integration of the customer journey for consent approvals as well as multi-level approvals.

Interceptors

To expose your Open Insurance APIs for consumption, you need to add specific interceptors that perform validations and fundamental tasks in the context of Open Insurance. We offer ready-made custom interceptors in the Admin Portal. [under construction]

The interceptors for Open Insurance are:

  • Access Token Authorization;

  • Certificate Extractor;

  • Update Location;

  • Consent Validation;

  • Signature Validation;

  • Permission Validation.

Access Token Authorization

This interceptor is required for all APIs that will be exposed that are related to Open Insurance. The Access Token Authorization validates the access token entered in the request.

Certificate Extractor

As the name implies, the Certificate Extractor extracts the incoming certificate and passes it on. This extraction happens so that the certificate can be interpreted and the links and validations can be made.

Update Location

Incoming requests first go through the API Gateway before they reach the Authorization Server. The Authorization Server then makes internal redirections, creating domains for the internal calls. The Update Location updates the addresses of these domains so that they can be seen by the requester.

Consent Validation

The Consent Validation Interceptor is used in conjunction with the Permissions Validation Interceptor to certify that the consent created by the user in the Transmitter and the permissions of the API being accessed meets the grouping criteria defined by Open Insurance Brazil.

Signature Validation

Interceptor used to validate JWS messages sent by the initiating company. This interceptor can be used in both the request and the response stream of the API and is responsible for validating the payload, signing and base64 encoding.

Permissions Validation

This interceptor is used to validate the permissions pool defined by Open Insurance Brazil for accessing client resources at the Transmitter institution. Once this interceptor is configured, the API is ready to validate that the consent contains the permissions required to access the resource. Each interceptor must contain the permissions strictly necessary to access the specific resource.

Read more:
Thanks for your feedback!
EDIT
How useful was this article to you?