Permissions
Configure what data can be shared, with whom, and under what conditions through the reusable KYC permissions system.
Permission Levels
Organization-Level Permissions
Control what your organization can share and receive:
curl -X PUT https://api.bytrustgate.com/v1/settings/reusable-kyc/permissions \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"sharing": {
"enabled": true,
"allowed_data": [
"full_name",
"date_of_birth",
"nationality",
"verification_status",
"screening_status"
],
"forbidden_data": [
"document_images",
"biometric_data",
"raw_address"
],
"require_user_consent": true
},
"receiving": {
"enabled": true,
"minimum_verification_level": "standard",
"accepted_providers": ["all"],
"max_verification_age_days": 365
}
}'
User-Level Permissions
Users can set their own sharing preferences:
curl -X PUT https://api.bytrustgate.com/v1/applicants/{applicant_id}/sharing-preferences \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"allow_reusable_kyc": true,
"allowed_data": [
"full_name",
"date_of_birth",
"verification_status"
],
"blocked_data": [
"address",
"risk_score"
],
"require_approval": true,
"blocked_organizations": ["org_xyz"]
}'
Data Categories
Shareable Data
| Category | Fields | Permission Required |
|---|---|---|
| Identity | full_name, date_of_birth | Basic |
| Nationality | nationality, citizenship | Basic |
| Address | verified_address, country | Enhanced |
| Verification | verification_status, level | Basic |
| Screening | screening_status, pep_status | Standard |
| Risk | risk_score, risk_level | Enhanced |
Never Shareable
These data types are never shared via reusable KYC:
- Document images
- Biometric data (selfies, face embeddings)
- Raw identity document numbers
- Device fingerprints
- Internal case notes
Partner Permissions
Configure Partner Access
curl -X POST https://api.bytrustgate.com/v1/reusable-kyc/partners \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"partner_id": "org_partner_123",
"partner_name": "Trusted Partner Inc",
"relationship": "affiliate",
"permissions": {
"can_receive": true,
"can_share": true,
"allowed_data": [
"full_name",
"date_of_birth",
"nationality",
"verification_status",
"screening_status"
],
"skip_user_consent": false,
"auto_approve_requests": false
},
"effective_from": "2025-01-01",
"expires_at": "2026-01-01"
}'
List Partners
curl -X GET "https://api.bytrustgate.com/v1/reusable-kyc/partners" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"partners": [
{
"partner_id": "org_partner_123",
"partner_name": "Trusted Partner Inc",
"relationship": "affiliate",
"status": "active",
"permissions": {
"can_receive": true,
"can_share": true,
"allowed_data": ["full_name", "date_of_birth", "verification_status"]
},
"statistics": {
"verifications_shared": 150,
"verifications_received": 75
}
}
]
}
Consent Requirements
Configure Consent Flow
curl -X PUT https://api.bytrustgate.com/v1/settings/reusable-kyc/consent \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"require_explicit_consent": true,
"consent_expiry_days": 365,
"allow_blanket_consent": false,
"consent_granularity": "per_field",
"show_recipient_details": true,
"consent_withdrawal": {
"allowed": true,
"retroactive": false
}
}'
Consent Granularity Options
| Option | Description |
|---|---|
all_or_nothing | User approves full data package or nothing |
per_category | User chooses data categories |
per_field | User selects individual fields |
Request Approval
Auto-Approval Rules
curl -X PUT https://api.bytrustgate.com/v1/settings/reusable-kyc/auto-approve \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"rules": [
{
"condition": {
"requester_type": "trusted_partner",
"data_scope": ["full_name", "verification_status"]
},
"auto_approve": true
},
{
"condition": {
"requester_type": "any",
"includes_sensitive_data": true
},
"auto_approve": false,
"require_manual_approval": true
}
]
}'
Manual Approval Queue
curl -X GET "https://api.bytrustgate.com/v1/reusable-kyc/pending-approvals" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"pending_approvals": [
{
"request_id": "req_789",
"applicant_id": "app_123",
"requester": {
"organization": "New Fintech Corp",
"org_id": "org_456"
},
"data_requested": ["full_name", "date_of_birth", "screening_status"],
"purpose": "account_opening",
"requested_at": "2025-01-20T14:00:00Z",
"expires_at": "2025-01-21T14:00:00Z"
}
]
}
Approve/Deny Request
# Approve
curl -X POST https://api.bytrustgate.com/v1/reusable-kyc/requests/req_789/approve \
-H "Authorization: Bearer YOUR_API_KEY"
# Deny
curl -X POST https://api.bytrustgate.com/v1/reusable-kyc/requests/req_789/deny \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"reason": "Requester not approved partner"
}'
Data Minimization
Configure Minimum Data Rules
curl -X PUT https://api.bytrustgate.com/v1/settings/reusable-kyc/data-minimization \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enforce_minimization": true,
"purpose_based_limits": {
"account_opening": {
"allowed": ["full_name", "date_of_birth", "verification_status", "screening_status"],
"forbidden": ["risk_score", "address"]
},
"transaction_verification": {
"allowed": ["full_name", "verification_status"],
"forbidden": ["date_of_birth", "screening_status"]
}
}
}'
Permission Audit
View Permission Changes
curl -X GET "https://api.bytrustgate.com/v1/reusable-kyc/permissions/audit" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"audit_entries": [
{
"timestamp": "2025-01-20T14:00:00Z",
"action": "permission_updated",
"actor": "admin@company.com",
"changes": {
"allowed_data": {
"added": ["screening_status"],
"removed": []
}
}
},
{
"timestamp": "2025-01-19T10:00:00Z",
"action": "partner_added",
"actor": "admin@company.com",
"partner": "org_partner_123"
}
]
}
User Privacy Controls
User Permission Dashboard
Users can manage their sharing preferences:
// Web SDK
const privacyControls = TrustGate.PrivacyControls({
applicantId: 'app_123'
});
privacyControls.render('#privacy-settings', {
showConnectedApps: true,
allowRevokeAccess: true,
showDataShared: true
});
Revoke Previous Shares
curl -X POST https://api.bytrustgate.com/v1/reusable-kyc/revoke-access \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"applicant_id": "app_123",
"organization_id": "org_456",
"reason": "user_request"
}'
Next Steps
- Access Tracking - Monitor data access
- Generating Tokens - Create sharing tokens
- About Reusable KYC - Overview