Access control of web services can be done in many ways, but this depends mainly on how systems will call the web services and the nature of the data the web service returns.

• If the web service only requires machine-to-machine authentication, X-road is a very good solution. If X-road is the only access control for the web service, communication should be encrypted end to end with HTTPS and Mutual TLS (mTLS).

• Another option is to implement system authentication with access tokens. The query system calls in a central authentication server with client credentials and receives an access token back that is sent with the requests to the web service. The Island.is Authentication system supports system authentication.

• If the web service is also intended to identify end users, e.g. to manage access to sensitive information, it is best to use access tokens from the island.is Authentication system. In this way, queries can be traced down to end users who are truly authorized with electronic identification. Similarly, this access control offers delegation (parents, power of attorney, etc.) and consent.

We recommend using both access tokens and x-road to protect web services.

Access to Web Services

To access web services in X-road, you must contact the owner of the web service.

Access to web services is managed through an X-road admin system. The owner of the web service manages access to their own web services and decides to whom they give access, other organizations or companies. It is good to know that to be able to exchange data through x-road, both parties, the one that is providing data and the consumer of the data, need to have x-road security server setup.