Onderwijsregio APIGuideAPI ReferenceChangelog
Status

Candidate Sessions

Candidates are able to view and modify their personal info as stored in the ATS. These request are authenticated by session tokens.

Candidates can securely view and manage their personal data through session-based authentication. This mechanism is designed to protect sensitive information while giving candidates full transparency and control over how their data is used.

In most cases, this functionality is fully handled by the platform and requires no additional work from regions or integration partners. However, the API also supports custom candidate-facing flows for regions that wish to build their own access portals.

Candidate self-service experience

Candidates have access to a dedicated user interface where they can:

  • View and update parts of their personal information

  • Manage their privacy consent

  • See which regions currently have access to their data

  • Request deletion of their personal information

This interface is available at: https://onderwijsin.nl/privacy-consent-aanpassen

All authentication, authorization, and session handling for this experience is managed by the system itself.

Session-based authentication

Candidate requests are authenticated using session tokens. These tokens represent a verified candidate session and are separate from region or admin API keys.

Session tokens are:

  • Issued only after successful identity verification

  • Scoped to the candidate

  • Used exclusively for candidate-facing endpoints

Regions do not need to manage or store these tokens unless they are building custom candidate-facing functionality.

Building a custom candidate access flow (optional)

Regions may choose to build their own “request access” or candidate portal experience. This is optional and intended for advanced integrations.

The flow works as follows:

  1. The candidate enters their email address in your custom UI.

  2. Your system calls the candidate email verification endpoint:

    • POST /auth/candidates/request-email-verification

  3. If the email address matches one or more candidates, the system sends a verification link to the candidate.

  4. After verification, the candidate is redirected to the official candidate environment, where a session is established.

At this point, the candidate can continue managing their data using the standard tools provided by the platform.

What regions need to know

  • You do not need to implement candidate session handling to remain compliant.

  • Candidate privacy, consent management, and deletion requests are enforced centrally.

  • Custom candidate access flows are supported, but optional.

  • Session tokens are never interchangeable with API keys and must not be used for region-level operations.