Skip to main content
The Requisitions service provides methods for managing requisition resources, which represent data collection requests to data providers.

Resource

Requisition

A requisition for data across EventGroups from a single DataProvider. Output-only. A Requisition is created on behalf of a MeasurementConsumer to instruct a DataProvider to collect and upload data necessary to compute a Measurement result. Resource name patterns:
  • dataProviders/{data_provider}/requisitions/{requisition} (canonical)
  • measurementConsumers/{measurement_consumer}/measurements/{measurement}/requisitions/{requisition}
name
string
required
Resource name identifier.
measurement
string
required
Resource name of Measurement that this Requisition is associated with. Required, immutable.
measurement_consumer_certificate
string
Denormalized dereferenced measurement_consumer_certificate field from measurement. Output only, immutable.
measurement_spec
SignedMessage
Denormalized measurement_spec field from measurement. Output only, immutable.
protocol_config
ProtocolConfig
Denormalized protocol_config field from measurement. Output only, immutable.
data_provider_certificate
string
Denormalized data_provider_certificate field from the corresponding DataProviderEntry in measurement. Output only, immutable.
data_provider_public_key
Any
Denormalized data_provider_public_key field from the corresponding DataProviderEntry in measurement. Output only, immutable.
encrypted_requisition_spec
EncryptedMessage
Denormalized encrypted_requisition_spec field from the corresponding DataProviderEntry in measurement. Output only, immutable.
duchies
DuchyEntry[]
Map of Duchy name to parameters for that Duchy. Immutable.
state
State
The state of this Requisition. Output only.Possible values:
  • STATE_UNSPECIFIED - Default value if state is omitted. Should never be used.
  • UNFULFILLED - The Requisition has not yet been fulfilled
  • FULFILLED - The Requisition has been fulfilled (terminal state)
  • REFUSED - The Requisition has been refused by the DataProvider (terminal state, causes measurement to fail)
  • WITHDRAWN - The Requisition has been withdrawn (terminal state)
nonce
fixed64
The nonce value from encrypted_requisition_spec. Output only. Set when state is FULFILLED.
refusal
Refusal
The refusal that put this Requisition into the REFUSED state. Must be set when state is REFUSED.
fulfillment_context
FulfillmentContext
Context information related to the fulfillment of the Requisition. May only be set when state is FULFILLED.
measurement_state
Measurement.State
Denormalized state field from measurement. Output only.
update_time
Timestamp
When the Requisition was last updated. Output only.
etag
string
Current etag of the Requisition. Output only.

DuchyEntry

Entry in the duchies map.
key
string
required
Key of the map entry, which is a Duchy resource name.
value
Value
required
Value of a map entry.

Refusal

Refusal of a Requisition.
justification
Justification
required
Justification for refusing to fulfill this Requisition.Possible values:
  • JUSTIFICATION_UNSPECIFIED - Default value. Should never be used.
  • CONSENT_SIGNAL_INVALID - At least one cryptographic consent signal (digital signature or encrypted value) is invalid
  • SPEC_INVALID - The specification/configuration for the Requisition is invalid
  • INSUFFICIENT_PRIVACY_BUDGET - There is insufficient remaining privacy budget to fulfill the Requisition
  • UNFULFILLABLE - The Requisition cannot be fulfilled for a reason not indicated by another justification
  • DECLINED - The DataProvider has declined to fulfill this Requisition
message
string
Human-readable string adding more context to the provided Justification. This should NOT include sensitive information.Example: “Data Provider X does not support Virtual ID model line Y”.

FulfillmentContext

Context information related to the fulfillment of a Requisition.
build_label
string
Build label from the fulfilling DataProvider.
warnings
string[]
Human-readable warnings about the fulfillment. This must not include sensitive data.

Methods

ListRequisitions

Returns the Requisitions for the specified EventGroup. Request
parent
string
required
Resource key of the parent DataProvider or Measurement.Results in a PERMISSION_DENIED error if any key segment does not match for the authenticated user.Formats:
  • dataProviders/{data_provider}
  • measurementConsumers/{measurement_consumer}/measurements/{measurement}
page_size
int32
The maximum number of resources to return. The service may return fewer than this value.If unspecified, at most 10 resources will be returned. The maximum value is 500; values above this will be coerced to the maximum.
page_token
string
A token from a previous call, specified to retrieve the next page. See https://aip.dev/158.
filter
Filter
Filter criteria. Repeated fields are treated as logical ORs, and multiple fields specified as logical ANDs.
Response
requisitions
Requisition[]
The Requisition resources.
next_page_token
string
A token that can be specified in a subsequent call to retrieve the next page. See https://aip.dev/158.
Example 
message ListRequisitionsRequest {
  string parent = 1 [(google.api.field_behavior) = REQUIRED];
  int32 page_size = 2;
  string page_token = 3;
  Filter filter = 4;
}

message ListRequisitionsResponse {
  repeated Requisition requisitions = 1;
  string next_page_token = 2;
}

GetRequisition

Returns the Requisition with the specified resource key. Request
name
string
required
Resource name of the Requisition.Format: dataProviders/{data_provider}/requisitions/{requisition}
Response Returns a Requisition resource. Example 
message GetRequisitionRequest {
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

RefuseRequisition

Transitions a Requisition to the REFUSED state. This is a terminal state for the Requisition, resulting in the permanent failure of the parent Measurement. Consequently, this should only be called for permanent failures and not transient errors. This is a state transition method (https://aip.dev/216). Request
name
string
required
Resource name of the Requisition to mark as UNFILLABLE.Format: dataProviders/{data_provider}/requisitions/{requisition}
refusal
Refusal
required
Details about the refusal.
etag
string
Etag of the requisition. If specified and the value does not match the current etag, the operation will not occur and will result in an ABORTED status.
Response Returns the updated Requisition resource with state set to REFUSED. Example 
message RefuseRequisitionRequest {
  string name = 1 [(google.api.field_behavior) = REQUIRED];
  Requisition.Refusal refusal = 2 [(google.api.field_behavior) = REQUIRED];
  string etag = 3;
}
Important Notes
  • Refusing a requisition causes the parent measurement to fail permanently.
  • Only use for permanent failures (e.g., invalid spec, insufficient privacy budget).
  • For transient errors, retry instead of refusing.
  • The etag parameter provides optimistic concurrency control.

FulfillDirectRequisition

Fulfills a Requisition using the Direct protocol. This may only be called if Requisition.protocol_config indicates that the protocol may be used. See the RequisitionFulfillment service to fulfill using a different protocol. Request
name
string
required
Resource name of the Requisition.Format: dataProviders/{data_provider}/requisitions/{requisition}
encrypted_result
EncryptedMessage
required
Encrypted SignedMessage containing a Measurement.Result.The encryption uses the measurement_public_key from measurement_spec as the recipient’s public key.The versions of the SignedMessage and Measurement.Result message types must match the API version of this request message.
nonce
fixed64
required
The nonce value from the encrypted_requisition_spec.
certificate
string
Resource name of the Certificate belonging to the DataProvider that can be used to verify the result.If unspecified, the data_provider_certificate from the Requisition will be used.
fulfillment_context
FulfillmentContext
Context information related to the fulfillment of the Requisition.
etag
string
Etag of the requisition. If specified and the value does not match the current etag, the operation will not occur and will result in an ABORTED status.
Response
state
Requisition.State
Resulting state of the Requisition. Output only.
Example 
message FulfillDirectRequisitionRequest {
  string name = 1 [(google.api.field_behavior) = REQUIRED];
  EncryptedMessage encrypted_result = 4;
  fixed64 nonce = 3 [(google.api.field_behavior) = REQUIRED];
  string certificate = 5;
  Requisition.FulfillmentContext fulfillment_context = 6;
  string etag = 7;
}

message FulfillDirectRequisitionResponse {
  Requisition.State state = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
}
Usage Notes
  • The Direct protocol is used for simple, direct data provision.
  • The result must be encrypted with the measurement consumer’s public key.
  • The nonce must match the one from the encrypted requisition spec.
  • The etag parameter provides optimistic concurrency control.

State Transitions

Requisitions follow this state transition workflow: 
  [Created]
      |
      v
  UNFULFILLED
      |
      +---> FULFILLED (terminal)
      +---> REFUSED (terminal)
      +---> WITHDRAWN (terminal)

State Descriptions

  • UNFULFILLED: The requisition has been created but not yet fulfilled by the data provider.
  • FULFILLED: The data provider has successfully fulfilled the requisition by providing the requested data.
  • REFUSED: The data provider refused to fulfill the requisition (causes measurement to fail).
  • WITHDRAWN: The requisition was withdrawn (e.g., measurement was cancelled).

Refusal Justifications

Use when:
  • A digital signature cannot be verified using the specified certificate
  • An encrypted value cannot be decrypted using the specified key
  • Cryptographic validation fails

SPEC_INVALID

Use when:
  • The encrypted requisition spec contains invalid data
  • The time interval is invalid (e.g., end_time before start_time)
  • Configuration is not supported by the DataProvider

INSUFFICIENT_PRIVACY_BUDGET

Use when:
  • The requisition would exceed available privacy budget
  • Differential privacy constraints prevent fulfillment
  • Privacy parameters are exhausted

UNFULFILLABLE

Use when:
  • Data corruption prevents fulfillment
  • Internal DataProvider failure occurs
  • The requisition should be fulfillable but cannot be for technical reasons

DECLINED

Use when:
  • DataProvider policy prevents fulfillment
  • Business reasons prevent fulfillment
  • Reasons not expressible through other justifications

Workflow

DataProvider Perspective

  1. List Requisitions: Poll for new UNFULFILLED requisitions using ListRequisitions.
  2. Decrypt Spec: Decrypt the encrypted_requisition_spec using your private key.
  3. Validate Request: Check signatures, validate spec, check privacy budget.
  4. Collect Data: Gather the requested data from your EventGroups.
  5. Compute Result: Calculate the measurement result according to the spec.
  6. Encrypt Result: Encrypt the result using the measurement consumer’s public key.
  7. Fulfill or Refuse:
    • Success: Call FulfillDirectRequisition with the encrypted result
    • Failure: Call RefuseRequisition with appropriate justification

MeasurementConsumer Perspective

  1. Create Measurement: Creating a measurement automatically creates requisitions.
  2. Monitor Progress: Poll measurement state or list requisitions to track fulfillment.
  3. Handle Failures: If a requisition is refused, the measurement will fail with details.
  4. Retrieve Results: When all requisitions are fulfilled and computation completes, decrypt results.

Build docs developers (and LLMs) love

Get started for freeTalk to us