Consent Management
Open Astra tracks user consent for data processing activities. Consent records support expiration dates and can be revoked at any time. All consent operations are scoped to the authenticated user within their workspace.
Recording consent
Consent is recorded as a type/granted pair. The expiresAt field is optional — if omitted, consent has no expiration.
bash
# Record user consent
curl -X POST http://localhost:3000/security/consent \
-H "Authorization: Bearer ${JWT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"consentType": "data_processing",
"granted": true,
"expiresAt": "2027-03-07T00:00:00.000Z"
}'
# Response (201 Created)
{ "recorded": true, "consents": [...] }Listing consent
bash
# List all consent records for the authenticated user
curl http://localhost:3000/security/consent \
-H "Authorization: Bearer ${JWT_TOKEN}"
# Response
{ "consents": [
{ "consentType": "data_processing", "granted": true, "expiresAt": "2027-03-07..." },
{ "consentType": "analytics", "granted": false, "expiresAt": null }
]
}Revoking consent
Revocation removes the consent record. Returns 404 if the consent type doesn't exist.
bash
# Revoke a specific consent type
curl -X DELETE http://localhost:3000/security/consent/data_processing \
-H "Authorization: Bearer ${JWT_TOKEN}"
# Response
{ "revoked": true, "consentType": "data_processing" }Validation
| Field | Type | Constraints |
|---|---|---|
consentType | string | 1–64 characters |
granted | boolean | Required |
expiresAt | ISO 8601 datetime | Optional |