☾ Dark
On this page
Register your organization as a Data Fiduciary (DF) on the Consent Manager portal to get started.
Choose the appropriate environment—staging for testing or production for live usage.
Make sure you sign up in the correct environment to avoid integration issues later.
Log in to the portal and create a client from the Credentials page to generate your Client ID and Client Secret.
These credentials are required to authenticate your APIs by first generating an access token.
Make sure to securely store the Client Secret, as it is shown only once and cannot be retrieved later.
Generate an access token using your Client ID and Client Secret, as all APIs require authentication.
Use HTTP Basic Authentication by encoding your credentials (client_id:client_secret) in Base64.
Include this encoded value in the Authorization header to securely obtain the access token.
Create a Consent Request Payload in your backend that defines who is requesting consent, what data will be used, the purpose, and duration.
You can also use the provided UI to configure these details—such as company info, purposes, data categories, and languages—with a live preview of the consent notice.
Once completed, download the generated JSON payload, ensure it follows the schema, and use it in the next step to create the consent request.
Use the generated access token and prepared payload to call the Consent Creation API via a POST request.
Include the access token in the Authorization header to securely create the consent request.
The response will include important details, especially the redirectUrl, which is used to display the consent notice to the user.
After creating the consent request, extract the redirectUrl from the API response.
This URL is used to display the consent notice where the user can grant or revoke consent.
Pass it securely to your frontend and use it as-is without modification.
Use the redirectUrl to open the consent notice in your application (browser, WebView, or app).
This allows the user to review details and grant or revoke consent.
After the user action, the final status should be confirmed via webhook or verification API.
After the user grants, revokes, or the consent expires, the Consent Manager sends a signed webhook notification to your configured endpoint.
This webhook contains the final consent status and must be verified for authenticity using the provided signature.
Ensure your endpoint securely processes and stores the consent outcome.
Verify the webhook payload by validating the JWS signature using Consent Manager’s public keys (JWKS).
Extract the correct key using kid and ensure the signature algorithm is RS256.
Additionally, validate the payload integrity by matching the SHA-256 hash before processing the consent status.