# Consent Management
source: https://developer.mastercard.com/open-finance-data/documentation/consent-management/index.md

Consent is the foundation that enables Mastercard Open Finance partners to maintain secure, access to end-users' financial data, while adhering to regulatory requirements and user preferences. Consent Management supports recurring data refreshes, consent lifecycle management, and partner notifications, ensuring both data availability and compliance throughout the consent period.

Depending on the use case, end users may grant either ongoing or one-off consent to access their financial data. For instance, ongoing consent is required for lending or financial management use cases, whereas one-off consent is typically requested for an account opening scenario.

Ongoing consent is valid for a specified duration, for example 12 months. During this time, data will be refreshed at regular intervals, and the user retains the ability to revoke or renew their consent at any point.

In the case of one-off consent, the data is retrieved only once, and the consent automatically expires after a short period, usually within 24 hours.

## Capabilities {#capabilities}

1. Consent Lifecycle Management

Consent Management allows for revocation, expiry, and renewal of consents, enabling compliance with General Data Protection Regulation (GDPR) and Open Finance regulations.

2. Notifications and Webhooks

Partners are notified through webhooks when:

* Data is refreshed.
* A consent or connection expires or is revoked.

## Consent Lifecycle Core Stages {#consent-lifecycle-core-stages}

1. Consent Creation: Client creates a consent with appropriate scopes and identifiers. Users complete connect.
2. Data Collection: System fetches and stores data from Account Servicing Service Provider (ASPSP).
3. Data Refresh: Scheduled or on-demand refreshes update data (excluding one-off use cases).
4. Consent Expiration: System detects expiration and notifies Client.
5. Consent Renewal: Client initiates a reconnect flow.

#### Consent Renewal (Reconnect Flow) {#consent-renewal-reconnect-flow}

Diagram persistent-consent-flow

For details on how to create the initial consent, refer to the [Account Opening](https://developer.mastercard.com/open-finance-data/documentation/use-cases/account-opening/index.md) documentation.

1. Mastercard initiates scheduled data synchronization.
2. Mastercard fetches updated data from the ASPSP.
3. Mastercard sends a webhook notification to the Client.
4. The Client calls the data API to get updated data.
5. Mastercard initiates the next scheduled data synchronization.
6. Mastercard refreshes the access token with the ASPSP (if needed).
7. Mastercard sends a webhook notification about connection expiration.
8. The Client initiates the reconnect flow.
9. Mastercard creates the reconnect flow and returns the Flow URL.
10. The Client redirects the Payment Service User (PSU) to the consent Flow URL.
11. Mastercard redirects the PSU to their chosen bank.
12. The bank prompts the PSU to authenticate themselves using Strong Customer Authentication (SCA) and authorize data access.
13. The PSU authenticates and authorizes data access.
14. The bank redirects the end user back to Mastercard, where they complete the final steps of the flow to authorize sharing their data with the customer.
15. Mastercard redirects the end user back to the customer's website or app.

## Endpoints used {#endpoints-used}

##### Create Consent {#create-consent}


API Reference: `POST /consents`

* Initiates a new consent for persistent data access
* Requires end-user identifiers (UUID, email or phone for unlicensed partners)

##### Create Reconnect Flow {#create-reconnect-flow}


API Reference: `POST /consents/{consent_id}/managed-flows`

* Initiates a managed flow for renewing expired connections

##### Create Self-Hosted Reconnect Flow {#create-self-hosted-reconnect-flow}


API Reference: `POST /consents/{consent_id}/self-hosted-flows`

* Initiates a self-hosted flow for reconnection

### Webhook Notifications {#webhook-notifications}

* obdata.consent.modified
* obdata.connection.modified
* obdata.transactions.modified
* obdata.connection.expiration_reminder