Create a subject (with consent)

POST 
/v1/nature/subjects

Creates a new subject record. Consent must be captured at this step — the consent_artifact field is required and must reference the consent UI version + timestamp + integrity hash.

Per LEGAL-GUARDRAILS.md, MN-API operates as data processor; the customer is the controller. Consent collection is the customer's responsibility. The artifact is retained for the subject lifetime + 7 years (litigation hold horizon).

Idempotency: supports Idempotency-Key header per ADR-006 (30-day TTL).

Request

Responses

201

Subject created

400

Validation failure or malformed request

401

Authentication failed

403

Valid key but insufficient scope

409

Idempotency-Key reused with a different request body OR a request with the same key is currently in-flight. See ADR-006.

429

Rate limit exceeded on one or more dimensions

Response Headers

Retry-After

Seconds until retry is permitted

500

Server-side error; safe to retry with backoff