Consent Management
Consent is a foundational concept in Open Gateway. Before a service provider can access any network data about a user, that user must have explicitly authorized the access. Consent Management capabilities give service providers the tools to query and understand the current consent status of their users.
What consent means in Open Gateway
When a user authorizes an Open Gateway-integrated application to access a capability — for example, allowing a banking app to check for SIM Swap events on their number — the platform records that authorization as a consent record.
A consent record captures:
- Which user has given consent (identified by phone number)
- Which service provider received the consent
- Which capability or data type the consent covers (expressed as an OAuth scope)
- When the consent was granted
- Whether the consent is still active or has been revoked
Consent is always specific: a user who has authorized one application to check SIM Swap status has not authorized a different application, or the same application to access a different capability. The system enforces this granularity.
Consent Info
What it does: Allows a service provider to query whether a specific user has active consent for a given scope — without requiring the user to go through the authorization flow again.
The service provider provides the user’s phone number and the scope they are interested in. The platform returns a response indicating whether valid, active consent exists for that combination.
Who benefits:
- Service providers who want to check consent status before making a capability request, to avoid unnecessary API calls that would fail due to missing consent
- Compliance teams who need to audit which users have consented to what
- Applications that want to surface consent status to their users — for example, in a settings screen showing “you have authorized this app to check your SIM Swap status”
Why it matters:
Without a consent query capability, service providers would have to attempt a capability call and handle the resulting “consent not found” error to learn that a user has not yet consented. Consent Info provides a cleaner way to check status proactively, which supports better user experience design (showing a consent request only when needed) and better operational visibility.
Privacy and compliance
The consent model in Open Gateway is designed to align with data protection principles, including those embodied in regulations like GDPR.
User control: Users can revoke consent at any time. Once revoked, subsequent capability calls from that service provider for that scope will fail immediately, regardless of whether the service provider holds a valid access token.
Data minimization: Consent Info tells a service provider only whether consent exists — it does not expose the details of the consent record or any personal data about the user.
Auditability: Consent records are immutable logs. Granting and revoking consent both create entries in the audit trail, making it possible to demonstrate compliance with a subject access request or regulatory inquiry.
Explicit and specific: Open Gateway does not support blanket or implied consent. Every authorization is tied to a specific scope and a specific service provider. A user who consents to Number Verification for one app has not consented to SIM Swap for the same app, or to Number Verification for a different app.
Summary
| Concept | Description |
|---|---|
| Consent record | A stored record of a user’s authorization for a service provider to access a specific capability |
| Scope | The specific capability or data type covered by a consent record |
| Active consent | A consent record that has been granted and not yet revoked |
| Revocation | The act of withdrawing a previously granted consent; takes effect immediately |
| Consent Info | The API capability that allows querying whether active consent exists for a user-scope-provider combination |