Consent Recording
How disclosure acceptance is captured and stored before OAuth onboarding.
How Consent Is Captured
- User reviews disclosures and checks the consent box on the landing page.
- Client calls
/api/compliance/consentbefore OAuth initiation. - Server records a consent event with policy version, scope, and timestamp.
- OAuth flow starts only after consent capture succeeds.
Recorded Fields
| Field | Description |
|---|---|
| consentId | Unique audit identifier returned to the client. |
| acceptedAt | ISO timestamp for disclosure acceptance. |
| policyVersion | Published policy revision accepted by the user. |
| scope | Connection context, such as gsc-oauth or ga4-oauth. |
| page | Page path where consent was accepted. |
| userAgent | Truncated user-agent string for audit context. |
| ipHash | SHA-256 hash of client IP (raw IP is not stored). |
Review Surfaces
- Human-readable policy pages: Privacy, Security, Data Practices.
- Operational trust page: Trust Center.
- Product transparency pages: Status, Changelog, Methodology, Evidence.