# Create Consents
source: https://developer.mastercard.com/consent-management/documentation/tutorials/consents-tutorial/create-consents/index.md

The source code for the tutorial is available under [Reference App](https://developer.mastercard.com/consent-management/documentation/reference-app/index.md). Run the tutorial as follows:
* Java
* Python

```java
mvn spring-boot:run
```

```bash
FLASK_APP=main python3 -m flask run
```

When the tutorial app is started it will serve a webpage at `localhost:8080`. This page contains the form to create the consent.

<br />

````html
<html>
    <!-- Select test card -->
<form action="/create-consent" method="POST">
    <select name="pan">
        <option value="2303779951000297">3DS</option>
    </select>
    <input type="submit" value="Start">
</form>
</html>```
````

When the start button is pressed it calls the tutorial `/create-consent` endpoint:
* Java
* Python

```java
// MainController.java

/**
 * Call Consent Management API to create the consents.
 * @param cardDetails
 * @param model
 * @return String
 * @throws ApiException
 */
@PostMapping("/create-consents")
public String createConsents(CardDetails cardDetails, Model model) throws ApiException {
    // Test Card. PAN, come from select on index.html
    cardDetails.cardholderName("Java Smith");
    cardDetails.setExpiryMonth(12);
    cardDetails.setExpiryYear(2025);
    cardDetails.setCvc("123");
    ConsentsCreate request = new ConsentsCreate();
    request.setCardDetails(cardDetails);
    ConsentCreate consent = new ConsentCreate();
    consent.setName("notification");
    request.setConsents(Arrays.asList(consent));
    Consents response = apiService.createConsents(request);
}
```

```python
testCardDetails = {
    "cardholderName": "John Smith",
    "pan": "",
    "expiryMonth": 12,
    "expiryYear": 2025,
    "cvc": '1234'
}

@app.route("/create-consent", methods=['POST'])
def createConsent():
    "When start button is pressed we call API to create consents, they will require authentication "
    print(f'createConsent called, {request.form}')
    testCardDetails["pan"] = request.form["pan"]

    # Call POST /consents to create consents for the test card
    resp = callCreateConsent(testCardDetails)

    # Store the cardReference and authType, we will need it later
    global cardRef, authType
    cardRef = resp["cardReference"]
    authType = resp["auth"]["type"]

    # The authentication type determines what we do next...
    if authType == 'THREEDS':
        # For 3DS we need to do fingerprinting in browser before we can start authentication
        params = resp["auth"]["params"]
        return render_template('fingerprint.html', **params)
    else:
        return render_template('error.html', {errorMessage: "Unknown auth type"})
```

We have a testCard object and we set the PAN provided from the form.
For the sake of simplicity, these card details are global.
We will also also store cardReference and the authentication type as global.

The `POST /createConsents` calls `callCreateConsents` function from ApiService to send a `POST /consents` to the
Consent Management API to create the consents.
Tutorial code is shown below, printing the request and response for your reference.
* Java
* Python

```java
// ApiService.java
@Service
public class ApiService {
  public ApiService(ConsentsApi consentsApi) {
      this.consentsApi = consentsApi;
  }
  public Consents callCreateConsents(ConsentsCreate create) throws ApiException {
      return this.consentsApi.createConsents(create);
  }
}
```

```python
def callCreateConsent(cardDetails):
    "Create consents for a card"
    uri = f'{BASE_URL}/authentication/consents'
    request = {
        "cardDetails": cardDetails,
        "consents": [
            {
                "name": "notification",
                "details": {}
            }
        ]
    }
    return postApiRequest(uri, request)
```

When this API is called, the consents are created, and the Consent Management system
determines if authentication is required.

The response contains the cardReference, which may be new if the card is being seen for
the first time. Otherwise, it may be an existing cardReference if consents have already been granted on this card.
The new consents will have status="REQAUTH" if authentication is required.

If authentication is required, the response contains any parameters required to do
the authentication. For example:

```json
{ 
    "auth": {
        "status": "READY_TO_START",
        "type": "THREEDS",
        "params": { }
    }
}
```

Based on the auth.type return, an HTML page will be displayed to gather browser fingerprint data needed by 3DS. The Consent Management `/start-authentication` API
with that data.

The next steps for authentication are described in the following section.