Consent Storage

Consent records are stored by EcoStruxure Openness to demonstrate compliance with data protection regulations.

These records include information about what the user consented to, which ISV application they consent to, when they gave consent, and any relevant details about the consent process.

Consent records are stored in EcoStruxure Openness secure database.

Consent Management

Managing consent is essential for maintaining compliance with data protection laws. Ecostruxure Openness Consent Management Application provides a user interface for the Data Owners to manage their consent provided to the external ISV or third-party applications.

Consent Management features,

  1. Consolidated view of all the authorized applications with scopes data owners have provided consent to access their customer data.
  2. User can revoke the consent, which is provided.
  3. User can view their consent history granted and revoked.
  4. Data owner is notified through email when any action taken on grant or revoke during consent flow and managing it.

Login to consent management application at https://ecostruxure-openapi.se.com

View Authorized Applications

Users will be able to view the list of ISV applications for which the consent was provided earlier.


Users have to select the ISV application for which the consent has to be revoked. Click the "Revoke Access" button to revoke the access.


Users can view the list of revoke access by switching to "Revoked Accesses" tabs.


ISVs and Partners

This guide is intended for ISV application developers looking to integrate with our platform. We employ OAuth2 Authorization Code Grant type to secure our APIs. This method ensures that customer data is not only safe but also only accessible after obtaining the customer's explicit consent through our consent management framework.

OAuth2 Authorization Code Grant

This OAuth2 flow involves several steps that require the customer to authenticate and authorize the third-party application (ISV) to access their data. This is crucial for ensuring data security and privacy.


  • Authorization Endpoint: https://api.exchange.se.com/ecostruxure/v1/oauth/authorize
  • Token Endpoint: https://api.exchange.se.com/ecostruxure/v1/oauth/token

Authorization Endpoint

  1. Method: GET
  2. Parameters:
    • client_id: Your application's client ID
    • response_type: Should be code
    • redirect_uri: The URL to which the authorization code will be sent
    • scope: The access level that you are requesting. Refer to API product documentation for supported scopes.


GET https://api.exchange.se.com/ecostruxure/v1/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=read_user_data

Token Endpoint

  1. Method: POST
  2. Parameters:
    • client_id: Your application's client ID
    • client_secret: Your application's client secret
    • grant_type: Should be authorization_code
    • code: The authorization code received
    • redirect_uri: Same as used in Authorization Endpoint


POST https://api.exchange.se.com/ecostruxure/v1/oauth/token


  "client_id": "YOUR_CLIENT_ID",

  "client_secret": "YOUR_CLIENT_SECRET",

  "grant_type": "authorization_code",


  "redirect_uri": "YOUR_REDIRECT_URI"


Token Response

Upon successful authorization, the Token Endpoint will return a JSON object containing:

  • access_token: The token to be used for API access
  • expires_in: The time (in seconds) when the token will expire
  • refresh_token: Token used to obtain a new access token
  • scope: Scopes granted



  "access_token": "YOUR_ACCESS_TOKEN",

  "expires_in": 3600,

  "refresh_token": "YOUR_REFRESH_TOKEN",

  "scope": "read_user_data"


Refresh Token Flow

You can use the refresh token to obtain a new access token once the original access token has expired.


POST https://api.exchange.se.com/ecostruxure/v1/oauth/token


  "client_id": "YOUR_CLIENT_ID",

  "client_secret": "YOUR_CLIENT_SECRET",

  "grant_type": "refresh_token",

  "refresh_token": "YOUR_REFRESH_TOKEN"


Offline Access Scope

If you require long-lived refresh tokens, request the offline_access scope during the initial authorization. This will provide you with a refresh token that has an extended lifetime.

Getting Started

  1. Redirect the customer to our Authorization Endpoint.
  2. Customer logs in and gives consent.
  3. Authorization code is sent to your redirect_uri.
  4. Exchange the authorization code for an access token using the Token Endpoint.

We maintain a record of the consents given by customers, allowing for more granular control over data access. Customers can revoke access at any time.

Customers have the option to revoke consent through our platform. Once revoked, previously issues access and refresh token will be invalidated, ISV application will need to re-initiate the authorization process for further access.


Our commitment to privacy and data protection includes giving our customers complete control over their data. This guide outlines how our consent management system empowers customers to manage data-sharing permissions with third-party applications (ISVs).

How the System Works

When a third-party application (ISV) requests access to a customer's data, the customer is redirected to our secure consent page. This page provides explicit details about the data the application is requesting access to, and what it intends to do with that data. The customer can choose to accept or deny this request.

Customer Control Dashboard

Customers have access to a 'Consent Dashboard' within our platform. This dashboard provides a comprehensive list of all the third-party applications that have been granted consent to access their data. Features of the dashboard allow customers to:

  • View the scope of each granted consent
  • Revoke consent at their discretion
  1. Customers are redirected to the consent page.
  2. They review the request for data access.
  3. They click on "Approve" to grant access or "Deny" to refuse.
  4. A confirmation notice is emailed, and the third-party application is notified accordingly.

Procedure for Viewing Consents

  1. Customers log into consent management application https://ecostruxure-openapi.se.com/
  2. A list of all ISV apps with active granted consents is displayed.
  3. Customer can view historic data by going to "Revoked Consent" tab.
  1. Customers log into consent management application https://ecostruxure-openapi.se.com/
  2. They locate the ISV whose consent they wish to revoke.
  3. They click on the "Revoke Access" button.
  4. A confirmation dialog is shown; customers click "Proceed" to confirm the revocation.