TPAE

Third Party Authorized Entity

Security
Introduced in Rel-17
A trusted external entity authorized by a mobile network operator to access network capabilities and user data for specific services. It enables secure third-party service integration, such as edge computing or IoT applications, while maintaining operator control and user privacy.

Description

The Third Party Authorized Entity (TPAE) is a security and architectural concept introduced in 3GPP Release 17, primarily within the framework of service enabler architecture layer (SEAL) and network exposure. It represents an external application provider or service entity that has been granted explicit authorization by a mobile network operator (MNO) or a network function (like the Network Exposure Function - NEF) to access certain network capabilities, APIs, or user-related data. The TPAE is not part of the 3GPP network trust domain but operates in a trusted relationship established through formal authorization processes. Its identity and permissions are validated before any interaction, ensuring that third-party access is controlled, auditable, and compliant with regulatory requirements like GDPR.

Architecturally, the TPAE interfaces with the 3GPP core network, typically through the NEF in the 5G core (5GC). The NEF acts as a secure gateway and policy enforcement point, exposing network APIs (e.g., Nnef services) to authorized external entities. The TPAE must authenticate itself using credentials (like certificates) and is assigned specific scopes of access based on its authorization. These scopes define which network functions it can invoke, what data it can request (e.g., location information, quality of service adjustments), and under what conditions. The TPAE's requests are subject to policy controls, including user consent verification, rate limiting, and charging, which are enforced by the NEF and other policy control functions (PCF).

Key components involved with TPAE operation include the NEF, which manages the exposure and security; the Unified Data Management (UDM) or Authentication Server Function (AUSF), which may assist in authentication; and the PCF, which provides policy rules. The TPAE itself is characterized by its application identity, security credentials, and the authorized service profile. Its role is critical for enabling innovative services like edge computing applications, where a third-party edge application provider needs low-latency access to user plane functions, or IoT verticals that require real-time device status. By formalizing the TPAE concept, 3GPP provides a standardized, secure model for third-party integration, moving beyond ad-hoc interfaces to a managed ecosystem that protects network integrity and user privacy.

Purpose & Motivation

The TPAE was created to address the growing demand for secure and standardized third-party access to 5G network capabilities. Historically, service providers outside the operator's domain had limited or proprietary ways to interact with the network, often requiring complex bilateral agreements and custom integrations, which hindered innovation and scalability. With the rise of edge computing, IoT, and network slicing, there was a clear need for a controlled mechanism to allow external entities to leverage network functions—such as quality of service management, location services, or event monitoring—without compromising security or operational control.

This concept solves the problem of how to safely open up the network to a broader ecosystem of application developers and vertical industries while maintaining the operator's authority over their assets. It establishes a trust framework where third parties can be authenticated, authorized, and audited, ensuring that access is granted only for intended purposes and in compliance with user consent and data protection regulations. The TPAE model enables new business models, such as network-as-a-service, by providing a clear technical and procedural foundation for third-party partnerships, thereby fostering an open innovation environment in the 5G era.

Key Features

  • External entity authorization via operator-defined policies
  • Secure access through the Network Exposure Function (NEF)
  • Scope-based access control limiting API and data exposure
  • Integration with user consent and data privacy mechanisms
  • Support for authentication using certificates or OAuth 2.0
  • Enables third-party service innovation in edge and IoT

Evolution Across Releases

Rel-17 Initial

Introduced the Third Party Authorized Entity concept within the service enabler architecture for vertical applications. Defined its role in accessing network capabilities via the NEF, with initial focus on authorization frameworks, security procedures, and API exposure for edge computing and IoT services.

TS 23.256TS 23.700TS 28.853TS 29.256TS 33.854

Defining Specifications

SpecificationTitle
TS 23.256 3GPP TS 23.256
TS 23.700 3GPP TS 23.700
TS 28.853 3GPP TS 28.853
TS 29.256 3GPP TS 29.256
TS 33.854 3GPP TR 33.854