Policy Recipes
Policies are the access control layer in Docyard. A policy (or “recipe”) defines who can retrieve which artifacts, under what conditions. This guide covers the full policy lifecycle with examples for each stakeholder persona.
The Four Persona Recipes
1. Mortgagee — Bulk API with Passphrase + mTLS
Mortgage lenders retrieve declaration pages in bulk, authenticating with a shared passphrase and mutual TLS certificate.
Insurance
Real Estate
Healthcare
Financial Services
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Mortgagee Bulk API Access",
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"declaration-page\",\"certificate-of-insurance\",\"endorsement\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true,\"min_version\":\"1.2\"}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":10000},\"match\":{\"identifiers\":[\"lender_id\",\"policy_number\"]}}"
}'
- Factors: Shared passphrase (via Secrets API) + mutual TLS certificate
- Access: Bulk retrieval API — up to 10,000 documents per job
- Matching: Lender ID + policy number determine which artifacts are visible
- No expiration: Active until manually revoked or passphrase expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Lender Bulk API Access",
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"title-commitment\",\"closing-disclosure\",\"deed-of-trust\",\"settlement-statement\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true,\"min_version\":\"1.2\"}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":10000},\"match\":{\"identifiers\":[\"lender_id\",\"file_number\"]}}"
}'
- Factors: Shared passphrase (via Secrets API) + mutual TLS certificate
- Access: Bulk retrieval API — up to 10,000 documents per job
- Matching: Lender ID + file number determine which artifacts are visible
- No expiration: Active until manually revoked or passphrase expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Payer Bulk Claims Access",
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"explanation-of-benefits\",\"claim-summary\",\"pre-authorization\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true,\"min_version\":\"1.2\"}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":5000},\"match\":{\"identifiers\":[\"payer_id\",\"member_id\"]}}"
}'
- Factors: Shared passphrase (via Secrets API) + mutual TLS certificate
- Access: Bulk retrieval API — up to 5,000 documents per job
- Matching: Payer ID + member ID determine which artifacts are visible
- No expiration: Active until manually revoked or passphrase expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Investor Bulk Loan Doc Access",
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"promissory-note\",\"closing-disclosure\",\"appraisal\",\"underwriting-decision\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true,\"min_version\":\"1.2\"}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":10000},\"match\":{\"identifiers\":[\"investor_id\",\"loan_number\"]}}"
}'
- Factors: Shared passphrase (via Secrets API) + mutual TLS certificate
- Access: Bulk retrieval API — up to 10,000 documents per job
- Matching: Investor ID + loan number determine which artifacts are visible
- No expiration: Active until manually revoked or passphrase expires
2. Agent — Portal + Bulk Download with WebAuthn
Insurance agents access client documents through the branded portal or bulk download, authenticated with a FIDO2 security key or biometric.
Insurance
Real Estate
Healthcare
Financial Services
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Agent Portal & Download Access",
"recipe": "{\"stakeholderClass\":\"agent\",\"artifactTypes\":[\"declaration-page\",\"policy-packet\",\"endorsement\",\"renewal-notice\"],\"auth\":{\"factors\":[\"webauthn\"],\"webauthn\":{\"challenge_type\":\"platform_or_cross_platform\"}},\"access\":{\"method\":[\"portal\",\"bulk_download\"]},\"match\":{\"identifiers\":[\"agency_code\",\"policy_number\"]}}"
}'
- Factor: WebAuthn challenge (FIDO2 security key or platform biometric)
- Access: Portal for single lookups, bulk download for client batches
- Matching: Agency code + policy number scope which documents are visible
- WebAuthn types: Platform authenticator (Touch ID, Windows Hello) or cross-platform (YubiKey)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Title Agent Portal & Download",
"recipe": "{\"stakeholderClass\":\"agent\",\"artifactTypes\":[\"title-commitment\",\"closing-disclosure\",\"deed-of-trust\",\"settlement-statement\",\"escrow-instructions\",\"title-search\"],\"auth\":{\"factors\":[\"webauthn\"],\"webauthn\":{\"challenge_type\":\"platform_or_cross_platform\"}},\"access\":{\"method\":[\"portal\",\"bulk_download\"]},\"match\":{\"identifiers\":[\"agent_license\",\"file_number\"]}}"
}'
- Factor: WebAuthn challenge (FIDO2 security key or platform biometric)
- Access: Portal for single lookups, bulk download for client batches
- Matching: Agent license + file number scope which documents are visible
- WebAuthn types: Platform authenticator (Touch ID, Windows Hello) or cross-platform (YubiKey)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Provider Portal & Download",
"recipe": "{\"stakeholderClass\":\"agent\",\"artifactTypes\":[\"lab-results\",\"imaging-report\",\"referral-letter\",\"discharge-summary\",\"visit-summary\"],\"auth\":{\"factors\":[\"webauthn\"],\"webauthn\":{\"challenge_type\":\"platform_or_cross_platform\"}},\"access\":{\"method\":[\"portal\",\"bulk_download\"]},\"match\":{\"identifiers\":[\"npi_number\",\"member_id\"]}}"
}'
- Factor: WebAuthn challenge (FIDO2 security key or platform biometric)
- Access: Portal for single lookups, bulk download for client batches
- Matching: NPI number + member ID scope which documents are visible
- WebAuthn types: Platform authenticator (Touch ID, Windows Hello) or cross-platform (YubiKey)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Loan Officer Portal & Download",
"recipe": "{\"stakeholderClass\":\"agent\",\"artifactTypes\":[\"loan-estimate\",\"closing-disclosure\",\"application-packet\",\"rate-lock\",\"underwriting-decision\",\"appraisal\"],\"auth\":{\"factors\":[\"webauthn\"],\"webauthn\":{\"challenge_type\":\"platform_or_cross_platform\"}},\"access\":{\"method\":[\"portal\",\"bulk_download\"]},\"match\":{\"identifiers\":[\"nmls_id\",\"loan_number\"]}}"
}'
- Factor: WebAuthn challenge (FIDO2 security key or platform biometric)
- Access: Portal for single lookups, bulk download for client batches
- Matching: NMLS ID + loan number scope which documents are visible
- WebAuthn types: Platform authenticator (Touch ID, Windows Hello) or cross-platform (YubiKey)
3. Policyholder — Single Retrieval with SMS OTP
Insured individuals retrieve their own documents through the self-service portal after verifying identity with date of birth and a one-time SMS code.
Insurance
Real Estate
Healthcare
Financial Services
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Policyholder Self-Service",
"recipe": "{\"stakeholderClass\":\"policyholder\",\"artifactTypes\":[\"declaration-page\",\"id-card\",\"renewal-notice\"],\"auth\":{\"factors\":[\"sms_otp\"],\"otp\":{\"delivery\":\"sms\",\"code_length\":6,\"ttl_seconds\":300}},\"access\":{\"method\":\"portal\",\"max_concurrent_downloads\":1},\"match\":{\"identifiers\":[\"email\",\"date_of_birth\",\"policy_number\"]}}"
}'
- Factors: Email + date of birth verification, then 6-digit SMS OTP
- Access: Portal only — single document retrieval at a time
- Matching: Email + DOB + policy number ensure the policyholder sees only their own documents
- OTP TTL: 5 minutes (300 seconds) before the code expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Buyer Self-Service",
"recipe": "{\"stakeholderClass\":\"policyholder\",\"artifactTypes\":[\"closing-disclosure\",\"deed\",\"settlement-statement\",\"title-policy\"],\"auth\":{\"factors\":[\"sms_otp\"],\"otp\":{\"delivery\":\"sms\",\"code_length\":6,\"ttl_seconds\":300}},\"access\":{\"method\":\"portal\",\"max_concurrent_downloads\":1},\"match\":{\"identifiers\":[\"email\",\"date_of_birth\",\"file_number\"]}}"
}'
- Factors: Email + date of birth verification, then 6-digit SMS OTP
- Access: Portal only — single document retrieval at a time
- Matching: Email + DOB + file number ensure the buyer sees only their own documents
- OTP TTL: 5 minutes (300 seconds) before the code expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Patient Self-Service",
"recipe": "{\"stakeholderClass\":\"policyholder\",\"artifactTypes\":[\"explanation-of-benefits\",\"lab-results\",\"visit-summary\",\"immunization-record\",\"discharge-summary\"],\"auth\":{\"factors\":[\"sms_otp\"],\"otp\":{\"delivery\":\"sms\",\"code_length\":6,\"ttl_seconds\":300}},\"access\":{\"method\":\"portal\",\"max_concurrent_downloads\":1},\"match\":{\"identifiers\":[\"email\",\"date_of_birth\",\"member_id\"]}}"
}'
- Factors: Email + date of birth verification, then 6-digit SMS OTP
- Access: Portal only — single document retrieval at a time
- Matching: Email + DOB + member ID ensure the patient sees only their own documents
- OTP TTL: 5 minutes (300 seconds) before the code expires
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Borrower Self-Service",
"recipe": "{\"stakeholderClass\":\"policyholder\",\"artifactTypes\":[\"loan-estimate\",\"closing-disclosure\",\"promissory-note\",\"payment-schedule\"],\"auth\":{\"factors\":[\"sms_otp\"],\"otp\":{\"delivery\":\"sms\",\"code_length\":6,\"ttl_seconds\":300}},\"access\":{\"method\":\"portal\",\"max_concurrent_downloads\":1},\"match\":{\"identifiers\":[\"email\",\"date_of_birth\",\"loan_number\"]}}"
}'
- Factors: Email + date of birth verification, then 6-digit SMS OTP
- Access: Portal only — single document retrieval at a time
- Matching: Email + DOB + loan number ensure the borrower sees only their own documents
- OTP TTL: 5 minutes (300 seconds) before the code expires
4. Auditor — Time-Boxed Read-Only with Badge + NDA
External auditors get temporary access that automatically expires. The NDA hash validates that the correct non-disclosure agreement is on file.
Insurance
Real Estate
Healthcare
Financial Services
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Q1 2025 External Audit — Deloitte",
"recipe": "{\"stakeholderClass\":\"auditor\",\"artifactTypes\":[\"*\"],\"auth\":{\"factors\":[\"badge_id\",\"nda_hash\"],\"nda\":{\"hash_algorithm\":\"sha256\",\"require_match\":true}},\"access\":{\"method\":\"portal\",\"read_only\":true,\"download_enabled\":false},\"match\":{\"identifiers\":[\"badge_id\",\"nda_hash\"]},\"constraints\":{\"time_window\":{\"start\":\"2025-01-15T00:00:00Z\",\"end\":\"2025-02-15T00:00:00Z\"},\"auto_expire\":true}}"
}'
- Factors: Badge ID + SHA-256 hash of signed NDA document
- Access: Portal only — read-only, downloads disabled
- Matching: Badge ID + NDA hash must both validate
- Time window: Auto-expires on
end date — no manual revocation needed
- Artifact scope:
* — auditor can view all artifact types (within the policy’s time window)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "Q1 2025 RESPA/TRID Compliance Audit — KPMG",
"recipe": "{\"stakeholderClass\":\"auditor\",\"artifactTypes\":[\"*\"],\"auth\":{\"factors\":[\"badge_id\",\"nda_hash\"],\"nda\":{\"hash_algorithm\":\"sha256\",\"require_match\":true}},\"access\":{\"method\":\"portal\",\"read_only\":true,\"download_enabled\":false},\"match\":{\"identifiers\":[\"badge_id\",\"nda_hash\"]},\"constraints\":{\"time_window\":{\"start\":\"2025-01-15T00:00:00Z\",\"end\":\"2025-02-15T00:00:00Z\"},\"auto_expire\":true}}"
}'
- Factors: Badge ID + SHA-256 hash of signed NDA document
- Access: Portal only — read-only, downloads disabled
- Matching: Badge ID + NDA hash must both validate
- Time window: Auto-expires on
end date — no manual revocation needed
- Artifact scope:
* — auditor can view all artifact types (within the policy’s time window)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "HHS OIG Investigation — 2025",
"recipe": "{\"stakeholderClass\":\"auditor\",\"artifactTypes\":[\"*\"],\"auth\":{\"factors\":[\"badge_id\",\"nda_hash\"],\"nda\":{\"hash_algorithm\":\"sha256\",\"require_match\":true}},\"access\":{\"method\":\"portal\",\"read_only\":true,\"download_enabled\":false},\"match\":{\"identifiers\":[\"badge_id\",\"nda_hash\"]},\"constraints\":{\"time_window\":{\"start\":\"2025-01-15T00:00:00Z\",\"end\":\"2025-02-15T00:00:00Z\"},\"auto_expire\":true}}"
}'
- Factors: Badge ID + SHA-256 hash of signed NDA document
- Access: Portal only — read-only, downloads disabled
- Matching: Badge ID + NDA hash must both validate
- Time window: Auto-expires on
end date — no manual revocation needed
- Artifact scope:
* — auditor can view all artifact types (within the policy’s time window)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"name": "OCC Regulatory Examination — Q1 2025",
"recipe": "{\"stakeholderClass\":\"auditor\",\"artifactTypes\":[\"*\"],\"auth\":{\"factors\":[\"badge_id\",\"nda_hash\"],\"nda\":{\"hash_algorithm\":\"sha256\",\"require_match\":true}},\"access\":{\"method\":\"portal\",\"read_only\":true,\"download_enabled\":false},\"match\":{\"identifiers\":[\"badge_id\",\"nda_hash\"]},\"constraints\":{\"time_window\":{\"start\":\"2025-01-15T00:00:00Z\",\"end\":\"2025-02-15T00:00:00Z\"},\"auto_expire\":true}}"
}'
- Factors: Badge ID + SHA-256 hash of signed NDA document
- Access: Portal only — read-only, downloads disabled
- Matching: Badge ID + NDA hash must both validate
- Time window: Auto-expires on
end date — no manual revocation needed
- Artifact scope:
* — auditor can view all artifact types (within the policy’s time window)
Auditor download_enabled: false prevents local copies of documents. If the audit engagement requires downloads, set it to true and reduce the time window accordingly.
Using Templates
Start from a pre-built template instead of writing recipes from scratch:
# List available templates
curl https://api.docyard.io/v1/policy-templates \
-H "Authorization: Bearer dk_live_a1b2c3d4..."
[
{ "id": "tmpl_mortgagee_bulk_api", "name": "Mortgagee Bulk API Access", "stakeholderClass": "mortgagee" },
{ "id": "tmpl_agent_portal", "name": "Agent Portal & Download", "stakeholderClass": "agent" },
{ "id": "tmpl_policyholder_self_service", "name": "Policyholder Self-Service", "stakeholderClass": "policyholder" },
{ "id": "tmpl_auditor_time_boxed", "name": "Auditor Time-Boxed Access", "stakeholderClass": "auditor" }
]
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/from-template \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"templateId": "tmpl_mortgagee_bulk_api",
"name": "Mortgagee Access — Custom"
}'
Version Control
Every change creates a new immutable version:
# Update the mortgagee recipe to add endorsement access
curl -X PATCH https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P... \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"declaration-page\",\"certificate-of-insurance\",\"endorsement\",\"binder\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":10000},\"match\":{\"identifiers\":[\"lender_id\",\"policy_number\"]}}"
}'
# Create an explicit version with changelog
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../versions \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{ "changelog": "Added binder to authorized artifact types for mortgagee access" }'
curl https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../versions \
-H "Authorization: Bearer dk_live_a1b2c3d4..."
Simulation
Before publishing, simulate the impact on each persona:
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../simulate \
-H "Authorization: Bearer dk_live_a1b2c3d4..."
{
"policyId": "pol_01HQ3P...",
"policyName": "Mortgagee Bulk API Access",
"totalRecipients": 127,
"compliant": 118,
"nonCompliant": 9,
"breakdown": [
{
"factorCount": 2,
"combination": ["shared_passphrase", "tls_certificate"],
"recipients": 118,
"missingFactors": []
},
{
"factorCount": 1,
"combination": ["shared_passphrase"],
"recipients": 6,
"missingFactors": ["tls_certificate"]
},
{
"factorCount": 0,
"combination": [],
"recipients": 3,
"missingFactors": ["shared_passphrase", "tls_certificate"]
}
],
"recommendations": [
"6 mortgagees have a passphrase but no TLS certificate configured. Provide mTLS onboarding instructions.",
"3 mortgagees have no authentication factors. Generate passphrases and distribute TLS certificates before publishing."
]
}
Publishing
Progress through staged rollout:
# Start with pilot (subset of mortgagees)
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../publish \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{ "stage": "pilot" }'
# After validation, promote to production
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../publish \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{ "stage": "production" }'
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3Q.../publish \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{
"stage": "production",
"scheduledEnforceDate": "2025-01-15T00:00:00.000Z"
}'
Rollback
Revert to any previous version:
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../rollback/1 \
-H "Authorization: Bearer dk_live_a1b2c3d4..."
Rollback creates a new version with the old recipe — it does not delete intermediate versions. The full history is preserved for audit purposes.
Assigning to Groups
Apply a policy to an entire persona group:
# Assign mortgagee policy to all lenders
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../groups/grp_mortgagees.../assign-policy \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{ "policyId": "pol_01HQ3P..." }'
# Assign auditor policy to the Q1 audit team
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../groups/grp_q1_audit.../assign-policy \
-H "Authorization: Bearer dk_live_a1b2c3d4..." \
-H "Content-Type: application/json" \
-d '{ "policyId": "pol_01HQ3Q..." }'
Persona Summary
Insurance
Real Estate
Healthcare
Financial Services
| Persona | Auth Factors | Access Method | Time Limit | Key Identifiers |
|---|
| Mortgagee | Passphrase + mTLS cert | Bulk API | None (passphrase TTL) | lender_id, policy_number |
| Agent | WebAuthn challenge | Portal + bulk download | None | agency_code, policy_number |
| Policyholder | DOB + SMS OTP | Portal (single retrieval) | OTP: 5 min | email, date_of_birth, policy_number |
| Auditor | Badge ID + NDA hash | Portal (read-only, no download) | Time-boxed (auto-expires) | badge_id, nda_hash |
| Persona | Auth Factors | Access Method | Time Limit | Key Identifiers |
|---|
| Mortgagee | Passphrase + mTLS cert | Bulk API | None (passphrase TTL) | lender_id, file_number |
| Agent | WebAuthn challenge | Portal + bulk download | None | agent_license, file_number |
| Policyholder | DOB + SMS OTP | Portal (single retrieval) | OTP: 5 min | email, date_of_birth, file_number |
| Auditor | Badge ID + NDA hash | Portal (read-only, no download) | Time-boxed (auto-expires) | badge_id, nda_hash |
| Persona | Auth Factors | Access Method | Time Limit | Key Identifiers |
|---|
| Mortgagee | Passphrase + mTLS cert | Bulk API | None (passphrase TTL) | payer_id, member_id |
| Agent | WebAuthn challenge | Portal + bulk download | None | npi_number, member_id |
| Policyholder | DOB + SMS OTP | Portal (single retrieval) | OTP: 5 min | email, date_of_birth, member_id |
| Auditor | Badge ID + NDA hash | Portal (read-only, no download) | Time-boxed (auto-expires) | badge_id, nda_hash |
| Persona | Auth Factors | Access Method | Time Limit | Key Identifiers |
|---|
| Mortgagee | Passphrase + mTLS cert | Bulk API | None (passphrase TTL) | investor_id, loan_number |
| Agent | WebAuthn challenge | Portal + bulk download | None | nmls_id, loan_number |
| Policyholder | DOB + SMS OTP | Portal (single retrieval) | OTP: 5 min | email, date_of_birth, loan_number |
| Auditor | Badge ID + NDA hash | Portal (read-only, no download) | Time-boxed (auto-expires) | badge_id, nda_hash |
Next Steps
