Consent Management REST APIs¶
WSO2 Identity Server provides REST APIs for managing user consents. Two versions of the consent management API are available:
| API | Base path | Description |
|---|---|---|
| Consent management API | /api/identity/consent-mgt/v1.0 |
Legacy consent management API based on the ISO/IEC 29184 model with PII controllers, purposes, and consent receipts. |
| Consent management API v2 | /api/identity/consent-mgt/v2.0 |
Revised API with a simplified model covering purposes, elements, and consent records. Use this for new integrations. |
For self-service consent management by end users, see the User consent API.
Consent management API (v1)¶
The v1 API is based on the ISO/IEC 29184 standard for online privacy notices and consent. Key concepts:
- PII Principal: The natural person to whom the personally identifiable information (PII) relates.
- PII Controller: The entity that determines the purposes and means for processing PII.
- PII Processor: A stakeholder that processes PII on behalf of a PII Controller.
- Purpose: The business, operational, or regulatory reason for collecting PII.
- Consent Receipt: A record of a consent interaction provided by a PII Principal.
Configure the PII controller¶
Add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file.
[authentication.pii_controller]
name = "Kim"
contact = "Kim"
email = "[email protected]"
phone = "01433444333"
on_behalf = "false"
url = "https://sample.piicontroller.url"
country ="USA"
locality = "Mountain View"
region = "CA"
po_box = "233"
postal_code = "94043"
street_address = "1600"
| Property | Type | Required/Optional | Description |
|---|---|---|---|
name |
string | Required | Name of the first PII controller who collects the data. |
contact |
string | Required | Contact name of the PII controller. |
email |
string | Required | Contact email address of the PII Controller. |
phone |
string | Required | Business phone number to contact the PII Controller. |
on_behalf |
boolean | Optional | A PII Processor acting on behalf of a PII Controller or PII Processor. |
url |
string | Optional | A URL for contacting the PII Controller. |
country |
string | Required | Country of the PII controller. |
locality |
string | Required | Locality of the PII controller. |
region |
string | Required | Region of the PII controller. |
po_box |
string | Required | Post office box number of the PII controller. |
postal_code |
string | Required | Postal code of the PII controller. |
street_address |
string | Required | Street address of the PII controller. |
Extension points¶
- PIIController connector extension - A sample implementation for registering a PII controller and providing PII controller information for consent receipts.
- Interceptor extension - A sample implementation for registering a consent management interceptor.
Consent management API v2¶
The v2 API introduces a simplified consent management model. The key concepts are:
- Purpose: Represents a consent use case (for example, Privacy Policy or Marketing) and supports versioning.
- Element: Represents a data element subject to consent (for example, an email address or phone number).
- Consent: Represents a user consent record that links a subject to one or more purposes and elements.