Consent is the user-approved boundary for connected app access.
An app can authenticate a user and still lack permission for profile fields, trust assertions, communication access, or messaging. Consent keeps those decisions visible and revocable.
Consent Requests
A consent request should show:
- app name
- requested scopes
- intended use
- requested account access
- expiration timing where supported
- the action the user is approving
The user can approve or decline the request.
Unsafe, excessive, duplicated, or unsupported requests can be rejected.
Consent States
Consent can appear as:
- requested
- granted
- limited
- expired
- revoked
- denied
The app should check the current state before using a scope.
Expiration
Some permissions can expire.
Expiration can depend on:
- app policy
- user account state
- risk level
- region
- verification status
- Onyx review requirements
When access expires, the app should request renewal only if the user action still requires it.
Revocation
Users can revoke connected app access.
After revocation, the app must stop using the revoked scopes. It should not continue sending messages, reading assertions, or using connected account access after the revocation takes effect.
If the user reconnects later, treat it as a new consent decision.
Permission History
Permission history helps users and partners understand what happened.
History can include:
- when access was requested
- which scopes were granted
- when access expired
- when access was revoked
- which app requested access
Partners should not hide permission changes from users.
Partner Duties
Partners should:
- request access only when needed
- use clear consent copy
- respect denied access
- stop after revocation
- stop after expiration
- handle limited access without breaking the whole flow
Consent is not a one-time checkbox. It is an active account state.