Revocation & Opt-Out

eConsent provides a complete revocation system that allows consumers to withdraw their consent at any time. When a certificate is revoked, all subsequent verification API calls for that certificate return a 403 response indicating the session has opted out.

How revocation works

When a consumer revokes consent:

1. The opt_out.revoke flag is set to true on the certificate record.
2. The change is propagated to both PostgreSQL (primary database) and Elasticsearch (search index).
3. All future verification API calls for that certificate return 403 "This session has opted out".
4. An audit log entry is created recording the revocation.

Note

Revocation is immediate. Once a certificate is revoked, the next verification API call will reflect the opt-out status. There is no delay or propagation window.

Opt-out API

Endpoint

POST https://api.econsent.org/opt-out

Request body

Field	Type	Required	Description
email	string	No*	Consumer’s email address
mobile	string	No*	Consumer’s phone number
certificate_id	string	No*	Specific certificate ID to revoke
company_id	string	Yes	Your company ID

*At least one of email, mobile, or certificate_id must be provided.

Example request

curl -X POST https://api.econsent.org/opt-out \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "mobile": "+1234567890",
    "certificate_id": "EC-session123-base64hash",
    "company_id": "comp-abc"
  }'

Code examples

Node.js

async function revokeConsent(email, mobile, certificateId) {
  const response = await fetch('https://api.econsent.org/opt-out', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      email: email,
      mobile: mobile,
      certificate_id: certificateId,
      company_id: process.env.ECONSENT_COMPANY_ID,
    }),
  });

  return response.json();
}

Python

import os
import requests

def revoke_consent(email=None, mobile=None, certificate_id=None):
    payload = {
        'company_id': os.getenv('ECONSENT_COMPANY_ID'),
    }
    if email:
        payload['email'] = email
    if mobile:
        payload['mobile'] = mobile
    if certificate_id:
        payload['certificate_id'] = certificate_id

    response = requests.post(
        'https://api.econsent.org/opt-out',
        json=payload,
    )
    return response.json()

PHP

<?php
function revokeConsent($email = null, $mobile = null, $certificateId = null) {
    $payload = [
        'company_id' => getenv('ECONSENT_COMPANY_ID'),
    ];
    if ($email) $payload['email'] = $email;
    if ($mobile) $payload['mobile'] = $mobile;
    if ($certificateId) $payload['certificate_id'] = $certificateId;

    $ch = curl_init('https://api.econsent.org/opt-out');
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);

    $response = curl_exec($ch);
    curl_close($ch);

    return json_decode($response, true);
}
?>

Dashboard revocation

Single revocation

1. Navigate to Certificates in your dashboard at app.econsent.org.
2. Find the certificate you want to revoke using search or filters.
3. Click the certificate to open its detail view.
4. Click Revoke and confirm the action.
5. Optionally add a revocation reason or comment for your audit trail.

Bulk revocation

For revoking multiple certificates at once:

1. Navigate to Certificates in your dashboard.
2. Select multiple certificates using the checkboxes.
3. Click Bulk Revoke from the actions menu.
4. Confirm the bulk action.

CSV upload

For large-scale revocations, you can upload a CSV file:

1. Navigate to the revocation section in your dashboard.
2. Click Upload CSV.
3. Upload a CSV file with one or more of the following columns: email, mobile, certificate_id.
4. Review the matched records before confirming.
5. Confirm to process all revocations.

Verification after revocation

After a certificate is revoked, all verification endpoints (/api/verify/match, /api/verify/partial-match, /api/verify/certificate-info) return:

{
  "status": 403,
  "error": "This session has opted out"
}

This applies to both first-party and third-party verification attempts.

Audit logging

Every revocation action is recorded in the audit log with the following information:

Field	Description
Action type	revocation
Timestamp	When the revocation occurred
User	The dashboard user who performed the revocation (or “API” for API-initiated revocations)
Certificate ID	The certificate that was revoked
Reason/comment	Optional reason provided during revocation
Method	Single, bulk, CSV, or API

Access the audit log from Settings > Audit Log in your dashboard.

Caution

Revocations are permanent. Once a certificate is revoked, it cannot be un-revoked. Ensure you have confirmed the correct certificates before processing revocations, especially for bulk and CSV operations.

Next steps

• Verification API. How verification handles revoked certificates
• Consent Certificates. Certificate format and generation
• Retention Management. Retention quotas and settings