Common Ground: the connective tissueΒΆ

Common Ground is the current plumbing: the ZGW (Zaakgericht Werken) REST APIs standing in for the older StUF SOAP koppelvlakken, with Haal Centraal for base-registry lookups and NLX/FSC carrying traffic between organisations. In the Common Ground five-layer model, these APIs are the data-and-services layer, kept deliberately apart from the process applications above them: the registration where a case lives is not the zaaksysteem that works it.

zaken.ankh-morpork.example is an Open Zaak instance, so its shape is known before a request is sent. A case reads like this:

GET /zaken/api/v1/zaken/{uuid}
Authorization: Bearer <jwt>        component token, scoped through the Autorisaties API
returns { "identificatie": "ZAAK-2026-000123", "zaaktype": ".../catalogi/api/v1/zaaktypen/{uuid}" }

Two seams open here. Authorisation in ZGW is per-component and scope-based, so the question is whether a token minted for one application is scoped tightly, or whether it reads zaken beyond its remit. And where a migration is half-done, the same case answers twice: once on zaken over REST, once on koppel over StUF, two authorisation models over one dataset, rarely agreeing on who may see what. Because Open Zaak is open source, the routes, the token model and the default behaviour can be read in advance rather than guessed.