Consent API

The consent API provides consent management capabilities to the web application, possibly on behalf of the end user. For example, the web application may use these endpoints to list the consents to the end user, and provide the user with the option to delete specific consents.

List consents

Endpoint: GET /oauth/api/v1/users/{userId}/consents

Parameter Description
userId User identifier.

This endpoint requires basic authentication using valid API client credentials.

When no consents are found because the user does not exist or the user does not have consents, a 404 Not Found is returned. When the user does have consents, an array with one or more consents is returned. Each consent object has the following attributes:

Attribute Description
id UUID identifying the consent.
client_name Name specified for the client that was given consent to request an access grant for given scope(s).
device_name Name of the device to which this token is granted. (May be not present as this attribute only contains a value in case of a dynamically registered client.)
scopes String array with scopes for which the user has given consent for.

Example result:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "consents": [
    {
      "id": "fc4ef972-7167-4421-aa89-f109be79d7c2",
      "client_name": "Client X",
      "device_name": "My iPad",
      "scopes": [
        "email",
        "profile"
      ]
    },
    {
      "id": "451f5c34-3d03-4ce0-80bd-4676fc0eddf5",
      "client_name": "Client Y",
      "scopes": [
        "email"
      ]
    }
  ]
}

Example error response:

{
  "error": "No consents found"
}

Endpoint: DELETE /oauth/api/v1/users/{userId}/consents/{consentId}

Parameter Description
userId Identifier of the user
consentId Identifier of the consent

This endpoint requires basic authentication using valid API client credentials.

Deleting a consent for a specific user & client will also remove the corresponding access grant and access token when available. This endpoint always returns a 204 No Content response, independent of the execution result.

Example result:

HTTP/1.1 204 No Content
Cache-Control: no-store
Pragma: no-cache