Right to be forgotten (RTBF)

To satisfy RTBF any API must have the following functionality:

Look up a user by email
Delete a user by email or ID
Identify user creation time

Look up a user by email

Sample request:

1
2
GET /api/user/:email HTTP/1.1
Host: someapi.com
Content-Type: application/json

Sample response:

1
2
{
    "id": {id},
    "email": {email},
    ...any other information...
}

If the user is not found, 404 status code should be returned.

Delete a user by email or ID

The API should make it possible to delete a user by email or another identifier returned by the user retrieval endpoint.

Sample request:

1
2
DELETE /api/user/:emailOrId HTTP/1.1
Host: someapi.com
Content-Type: application/json

Sample response:

1
2
{
    ...any useful information...
}

This endpoint should work without any type of confirmation

The deletion request can be implemented asynchronously with a maximum completion time of 15 days

Identify user creation time

Some of Atlassian marketing systems has an internal block list. APIs should provide a way to notify those systems when a user is created to ensure it's removed from the block list. The notification must include a user creation time. One approach would be a webhook that fires an event containing the user's email and creation time.