Consent for Data Consumers
How to use the consent solution for data consumers in Altinn 3
Introduction
This documentation describes how data consumers can request, retrieve, and manage consent using Altinn 3’s consent solution. Consent gives data consumers access to specific data resources for individuals or organizations, as defined by the API provider.
Glossary
- Data Consumer: The organization requesting access to data about an individual or another organization.
- Resource: A category of data defined by the actor providing the API in Altinn (e.g., income information, tax base).
Providers of Consent Solutions
Below are some key actors with consent solutions for Altinn 2. Most are expected to migrate to Altinn 3 during Q3 2025 or Q1 2026:
- Skatteetaten (Norwegian Tax Administration)
- Lånekassen (Norwegian State Educational Loan Fund)
Altinn itself offers APIs for requesting consent and retrieving the status of consent requests.
1. Request Consent
1.1 Prerequisites
- The data consumer must have a registered Maskinporten client.
- The data consumer must have been delegated the consent scope from Digdir.
- The necessary scopes must be added to the Maskinporten client.
- Access to request consent for the relevant resource(s) must be granted.
1.2 API Endpoint
- Test:
POST https://platform.tt02.altinn.no/accessmanagement/api/v1/enterprise/consentrequests/
- Production:
POST https://platform.altinn.no/accessmanagement/api/v1/enterprise/consentrequests/
Request (example)
{
"id": "019743e8-cb17-7f9f-b690-fb1338003c23",
"from": "urn:altinn:person:identifier-no:01025161013",
"to": "urn:altinn:organization:identifier-no:810419512",
"validTo": "2025-06-07T06:23:39.2925023+00:00",
"consentRights": [
{
"action": ["read"],
"resource": [{"type": "urn:altinn:resource", "value": "ttd_inntektsopplysninger"}],
"metadata": {"INNTEKTSAAR": "2024"}
}
],
"requestMessage": {"en": "Please approve this consent request"},
"redirectUrl": "https://www.dnb.no"
}
Response (example)
{
"id": "019743e8-cb17-7f9f-b690-fb1338003c23",
"from": "urn:altinn:person:identifier-no:01025161013",
"to": "urn:altinn:organization:identifier-no:810419512",
"validTo": "2025-06-07T06:23:39.292502+00:00",
"consentRights": [{"action": ["read"],"resource": [{"type": "urn:altinn:resource","value": "ttd_inntektsopplysninger"}],"metaData": {"INNTEKTSAAR": "2024"}}],
"consentRequestEvents": [
{
"consentEventID": "019743e9-128b-74fc-bb3a-49a3997d63ff",
"created": "2025-06-06T06:23:57.298375+00:00",
"performedBy": "urn:altinn:organization:identifier-no:810419512",
"eventType": "Created",
"consentRequestID": "019743e8-cb17-7f9f-b690-fb1338003c23"
}
],
"viewUri": "https://am.ui.localhost/accessmanagement/ui/consent/request?id=019743e8-cb17-7f9f-b690-fb1338003c23"
}
2. Retrieve Consent Token
In Altinn 3, the consent token is retrieved as part of the Maskinporten token. Specify the following in the JWT:
{
"aud": "https://ver2.maskinporten.no/",
"scope": "<scope>",
"iss": "<client_id>",
"exp": 1584693183,
"iat": 1584693063,
"jti": "<jti>",
"type": "urn:altinn:consent",
"id": "<consent_request_id>",
"from": "urn:altinn:person:identifier-no:<pid>"
}
3. Consent on Behalf of Others
To create consent requests on behalf of other organizations, the scope must be delegated:
- The organization that will be the recipient delegates the necessary scope(s) in Altinn under API delegation.
- The request is created as described above.
- When retrieving the token, also specify
consumer_org
:
{
"aud": "https://ver2.maskinporten.no/",
"scope": "<scope>",
"iss": "<client_id>",
"exp": 1584693183,
"iat": 1584693063,
"jti": "<jti>",
"type": "urn:altinn:consent",
"id": "<consent_request_id>",
"from": "urn:altinn:person:identifier-no:<pid>",
"consumer_org": "<customer_orgnr>"
}