Generate an OAuth 2.0 client-credentials token in OneTrust Global Settings; store as YOUR_ONETRUST_TOKEN and note your tenant hostname (e.g., your-org.onetrust.com).
POST to https://{hostname}/api/datasubject/v3/requests with a JSON body containing requestType (e.g., ACCESS), firstName, lastName, email, and the relevant requestFormId; capture the returned requestId.
Poll GET https://{hostname}/api/datasubject/v3/requests/{requestId} every 60 seconds; check the statusLabel field for transitions through PENDING -> IN_PROGRESS -> COMPLETED.
When status reaches COMPLETED, retrieve the fulfillment package via GET https://{hostname}/api/datasubject/v3/requests/{requestId}/report; the response includes a downloadUrl with a short-lived presigned link.
Download the report bundle, then close the request if your workflow requires explicit closure by calling PATCH with status CLOSED and a closingNotes field.
Log the requestId, completion timestamp, and report hash in your audit ledger to demonstrate GDPR Art. 12 accountability.
Known gotchas
The OAuth token scope must include DataSubjectRights.Read and DataSubjectRights.Write; missing scopes return 403 even when credentials are valid.
OneTrust environments use tenant-specific hostnames — the generic 'app.onetrust.com' hostname will not resolve API calls for all tenants; always confirm with your account settings.
GDPR Art. 12 requires you respond within one calendar month; the OneTrust status poll does not send push alerts by default — configure a webhook or schedule polling accordingly.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp