Skip to main content
The Baanx Consent Management API (V2) provides a comprehensive system for collecting, tracking, and managing user consent throughout the user lifecycle. It enables compliant data collection with complete audit trails for regulatory requirements like GDPR, CCPA, and industry-specific regulations.
All consent operations maintain an immutable audit trail for compliance reporting and regulatory audits.

Regulatory Compliance

Meet GDPR, CCPA, and other data privacy regulations with complete audit trails

User Trust

Transparent consent collection builds trust with clear opt-in/opt-out mechanisms

Flexible Policies

Region-specific policy types (US vs Global) with different consent requirements

Audit Trail

Complete change history with timestamps, IP addresses, and user agent tracking
The API supports five distinct consent types:
Consent TypeDescriptionRequired In
eSignActElectronic signature agreement (E-Sign Act compliance)US policy only
termsAndPrivacyTerms of service and privacy policy acceptanceAll policies
marketingNotificationsMarketing communications opt-inAll policies
smsNotificationsSMS/text message notificationsAll policies
emailNotificationsEmail notificationsAll policies
Policy-Specific Requirements: US policy requires all 5 consent types (includes eSignAct for E-Sign Act compliance). Global policy requires 4 consent types (excludes eSignAct).

Policy Types

US Policy

Used for US-based users and deployments within the United States. Required Consents:
  • eSignAct (E-Sign Act compliance)
  • termsAndPrivacy
  • marketingNotifications
  • smsNotifications
  • emailNotifications
The US policy requires eSignAct consent for compliance with the federal Electronic Signatures in Global and National Commerce Act (E-Sign Act).

Global Policy

Used for international users and deployments outside the US. Required Consents:
  • termsAndPrivacy
  • marketingNotifications
  • smsNotifications
  • emailNotifications
The Global policy does not require eSignAct consent as this is a US-specific regulatory requirement.
Each consent can have one of three status values:
StatusDescriptionUse Case
grantedUser has provided consentInitial opt-in, re-consent after revocation
deniedUser has explicitly refused consentOpt-out during onboarding
revokedPreviously granted consent has been withdrawnUser-initiated revocation, right to be forgotten

Workflow Overview

The consent management workflow follows a structured lifecycle:

Workflow Stages

1

Create Onboarding Consent

Collect consent during user registration using a temporary onboardingId before a permanent userId exists.When: Registration forms, KYC processes, mobile app onboarding
2

Link User to Consent Set

Associate the permanent userId with the consent set after account creation completes.When: Post-registration linking, account activation, email verification completion
3

Retrieve Consent Status

Check aggregated consent status for a user with short summary or full details.When: Login checks, feature access validation, compliance reporting
4

Track Changes with Audit Trail

Access paginated audit log of all consent changes with complete history.When: Compliance audits, regulatory reporting, user consent history review
5

Revoke Consent (Optional)

Allow users to withdraw specific consents while maintaining immutable audit trail.When: User settings, privacy preferences, right to be forgotten requests

HATEOAS Navigation

All API responses include a _links section for dynamic API discovery: 
{
  "_links": {
    "self": {
      "href": "https://api.baanx.com/v2/consent/user/user_123",
      "method": "GET"
    },
    "audit": {
      "href": "https://api.baanx.com/v2/consent/user/user_123/audit",
      "method": "GET"
    },
    "full": {
      "href": "https://api.baanx.com/v2/consent/user/user_123?full=true",
      "method": "GET"
    }
  }
}
This enables dynamic navigation without hardcoded URLs in your application.

Key Features

Immutable Audit Trail

Every consent change is recorded with:
  • Timestamp: ISO 8601 date-time
  • IP Address: User’s IP at time of consent
  • User Agent: Browser/device information
  • Before/After Snapshots: Complete state changes

Metadata Support

Enhance consent records with custom metadata: 
{
  "metadata": {
    "ipAddress": "192.168.1.1",
    "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X)",
    "timestamp": "2024-01-15T10:30:00Z",
    "clientId": "mobile-app-ios-v2.1.0",
    "version": "v2.0.0"
  }
}

Flexible Retrieval

Choose between response modes based on your needs:
  • Short Mode: Status only (complete, incomplete, none)
  • Full Mode: All consent sets with detailed records

Next Steps

Implementation Guide

Step-by-step integration with code examples

Compliance & Best Practices

Regulatory requirements and audit strategies

API Reference

Detailed endpoint documentation

Troubleshooting

Common issues and solutions