Je hebt Javascript nodig om deze website te kunnen gebruiken. Pas je browserinstellingen in om verder te gaan!
Authentication

Candidate sessions

Learn how candidates securely access their own ATS data and when to use the optional candidate session flow.

Candidates can view and update personal information stored in the ATS. These requests use session-token authentication.

Candidates can securely view and manage their personal data through session-based authentication. This mechanism is designed to protect sensitive information while giving candidates full transparency and control over how their data is used.

In most cases, this functionality is fully handled by the platform and requires no additional work from regions or integration partners. However, the API also supports custom candidate-facing flows for regions that wish to build their own access portals.

Candidate self-service experience

Candidates have access to a dedicated user interface where they can:

  • View and update parts of their personal information.
  • Manage privacy consent.
  • See which regions can access their data.
  • Request deletion of their personal information.

This interface is available at: https://onderwijsin.nl/privacy-consent-aanpassen

All authentication, authorization, and session handling for this experience is managed by the system itself.

Session-based authentication

Candidate requests are authenticated using session tokens. These tokens represent a verified candidate session and are separate from region or admin API keys.

Session tokens are:

  • Issued only after successful identity verification.
  • Scoped to one candidate.
  • Used exclusively for candidate-facing endpoints.

Regions do not need to manage or store these tokens unless they are building custom candidate-facing functionality.

Building a custom candidate access flow (optional)

Regions may choose to build their own “request access” or candidate portal experience. This is optional and intended for advanced integrations.

The flow works as follows:

Collect the candidate’s email address

Ask for the candidate’s email address in your custom interface.

Request email verification

Call POST /auth/candidates/request-email-verification from your system.

Let the candidate verify access

When the email matches one or more candidates, the system sends a verification link.

Continue in the official environment

After verification, the candidate is redirected to the official candidate environment and a session is established.

At this point, the candidate can continue managing their data using the standard tools provided by the platform.

What regions need to know

  • You do not need to implement candidate session handling to remain compliant.
  • Candidate privacy, consent management, and deletion requests are enforced centrally.
  • Custom candidate access flows are supported, but optional.
  • Session tokens are never interchangeable with API keys and must not be used for region-level operations.

Keep in touch with the latest

Sign up for our monthly deep dives - straight to your inbox.