Skip to main content

Getting Started

Step 1: Sign Up

  • Register your organization as a Data Fiduciary (DF) on the Consent Manager portal to get started.
  • Choose the appropriate environment—staging for testing or production for live usage.
  • Make sure you sign up in the correct environment to avoid integration issues later.

Step 2: Get Credentials

  • Log in to the portal and create a client from the Credentials page to generate your Client ID and Client Secret.
  • These credentials are required to authenticate your APIs by first generating an access token.
  • Make sure to securely store the Client Secret, as it is shown only once and cannot be retrieved later.

Step 3: Generate Access Token

  • Generate an access token using your Client ID and Client Secret, as all APIs require authentication.
  • Use HTTP Basic Authentication by encoding your credentials (client_id:client_secret) in Base64.
  • Include this encoded value in the Authorization header to securely obtain the access token.
  • Create a Consent Request Payload in your backend that defines who is requesting consent, what data will be used, the purpose, and duration.
  • You can also use the provided UI to configure these details—such as company info, purposes, data categories, and languages—with a live preview of the consent notice.
  • Once completed, download the generated JSON payload, ensure it follows the schema, and use it in the next step to create the consent request.
  • Use the generated access token and prepared payload to call the Consent Creation API via a POST request.
  • Include the access token in the Authorization header to securely create the consent request.
  • The response will include important details, especially the redirectUrl, which is used to display the consent notice to the user.

Step 6: Extract Redirect URL

  • After creating the consent request, extract the redirectUrl from the API response.
  • This URL is used to display the consent notice where the user can grant or revoke consent.
  • Pass it securely to your frontend and use it as-is without modification.
  • Use the redirectUrl to open the consent notice in your application (browser, WebView, or app).
  • This allows the user to review details and grant or revoke consent.
  • After the user action, the final status should be confirmed via webhook or verification API.

Step 8: Webhook Notification

  • After the user grants, revokes, or the consent expires, the Consent Manager sends a signed webhook notification to your configured endpoint.
  • This webhook contains the final consent status and must be verified for authenticity using the provided signature.
  • Ensure your endpoint securely processes and stores the consent outcome.

Step 9: Webhook Verification (Receipt Validation)

  • Verify the webhook payload by validating the JWS signature using Consent Manager’s public keys (JWKS).
  • Extract the correct key using kid and ensure the signature algorithm is RS256.
  • Additionally, validate the payload integrity by matching the SHA-256 hash before processing the consent status.