Skip to main content
POST
/
getconsentslist
Consent List
curl --request POST \
  --url https://api.example.com/getconsentslist

Overview

The Consent List API allows Financial Information Users (FIUs) to retrieve all consent records associated with a specific customer and product combination. This API provides visibility into the complete consent history, including active, pending, rejected, revoked, and expired consents. This is the foundational version of the consent listing API that uses mobile number as the primary customer identifier. It returns a flat list of all consents without additional filtering or pagination capabilities, making it ideal for simple consent status checks and historical tracking. Use this API when you need to:
  • Display all consents to the customer in their account dashboard
  • Check if active consents exist before creating new ones
  • Audit consent history for compliance and record-keeping purposes
  • Verify consent status before initiating data fetch operations

Endpoint

POST {{Base_URL}}/getconsentslist

Authentication

This API requires authentication through the following headers that must be included in every request:
HeaderTypeRequiredDescription
Content-TypestringYesMust be set to application/json to indicate the request body format.
client_idstringYesYour unique client identifier provided by MoneyOne during FIU onboarding. This credential identifies your organization in the FinPro system.
client_secretstringYesYour confidential client secret provided by MoneyOne. This must be kept secure and never exposed in client-side code or public repositories.
organisationIdstringYesYour organization’s unique identifier in the FinPro system. This is assigned during onboarding and links all API calls to your FIU entity.
appIdentifierstringYesApplication-specific identifier that helps track which application or service within your organization is making the API call. Useful for multi-application FIU setups.

Request Body

The request body must be a JSON object containing the following parameters:
ParameterTypeRequiredDescription
mobileNumberstringYesThe customer’s 10-digit mobile number without country code or special characters. This should be the same mobile number used when creating consent requests. The API validates that this is a valid 10-digit numeric string.
productIDstringYesThe unique identifier of the consent template (product) for which you want to retrieve consents. This filters the consent list to only show consents created using this specific product configuration. Use the same product ID that was used during consent creation.

Important Notes

  • Mobile Number Format: The mobile number must be exactly 10 digits without any country code, spaces, hyphens, or other special characters. Examples: 9876543210 (correct), +919876543210 (incorrect), 98765-43210 (incorrect).
  • Product Filtering: The API only returns consents associated with the specified productID. If you have multiple products configured, you’ll need to make separate API calls for each product to get a complete view.
  • Historical Data: The API returns all consents regardless of their status, providing a complete historical view of the consent relationship with the customer.

Response

Success Response (200 OK)

When consents are found for the specified mobile number and product ID, the API returns an array of consent objects: 
{
  "ver": "1.21.0",
  "status": "success",
  "data": [
    {
      "consentID": "20918495-ea9c-4508-a1b4-93ca1fbfd0f3",
      "consentHandle": "8b5b9333-00df-4b99-99d8-b0918f897e7b",
      "status": "ACTIVE",
      "productID": "TESTWM01",
      "accountID": "test123",
      "aaId": "onemoney-aa",
      "createdOn": "2025-09-15T10:30:00.000Z",
      "modifiedOn": "2025-09-15T11:00:00.000Z",
      "consentStart": "2025-09-15T10:30:00.000Z",
      "consentExpiry": "2026-09-15T10:30:00.000Z",
      "fetchType": "PERIODIC",
      "fiTypes": ["DEPOSIT", "TERM_DEPOSIT"],
      "fipId": "HDFC-FIP",
      "maskedAccountNumber": "XXXXXXXX1234"
    },
    {
      "consentID": "3f2a8c91-2d4e-4b1a-8c6d-1e5f4a7b8c1d",
      "consentHandle": "7a4b8222-11cd-4a88-88d7-a0817e786d6a",
      "status": "REVOKED",
      "productID": "TESTWM01",
      "accountID": "test123",
      "aaId": "onemoney-aa",
      "createdOn": "2025-08-01T09:00:00.000Z",
      "modifiedOn": "2025-09-01T14:30:00.000Z",
      "consentStart": "2025-08-01T09:00:00.000Z",
      "consentExpiry": "2026-08-01T09:00:00.000Z",
      "fetchType": "ONETIME",
      "fiTypes": ["DEPOSIT"],
      "fipId": "ICICI-FIP",
      "maskedAccountNumber": "XXXXXXXX5678"
    }
  ]
}
FieldTypeDescription
statusstringOverall API call status. Will be success for successful requests.
verstringThe version of the FinPro API that processed this request. Useful for debugging and version tracking.
dataarrayAn array of consent objects. Each object represents one consent record associated with the mobile number and product ID. The array may be empty if no consents exist.
Each consent object in the data array contains the following fields:
FieldTypeDescription
consentIDstringThe unique consent identifier assigned by the Account Aggregator after the customer approves the consent. This is null for consents that are still pending or were rejected. Use this ID for operations like revocation or data fetching.
consentHandlestringThe consent handle that was generated when the consent request was created. This identifies the consent request throughout its lifecycle and is available immediately upon creation.
statusstringCurrent status of the consent. Possible values: PENDING (awaiting customer action), ACTIVE (approved and currently valid), REJECTED (customer declined), REVOKED (customer or FIU cancelled), EXPIRED (validity period ended), PAUSED (temporarily suspended).
productIDstringThe product/consent template identifier that was used to create this consent. Matches the product ID from your request.
accountIDstringThe account identifier that was provided when creating the consent request. This helps correlate consents with your internal customer interactions or loan applications.
aaIdstringIdentifier of the Account Aggregator that processed this consent. Typically onemoney-aa for MoneyOne’s AA service.
createdOnstringISO 8601 timestamp indicating when the consent request was created in the FinPro system.
modifiedOnstringISO 8601 timestamp indicating when the consent record was last updated. This changes when status transitions occur (approval, revocation, etc.).
consentStartstringISO 8601 timestamp indicating when the consent becomes valid and data fetching can begin. Usually matches or is close to the creation time.
consentExpirystringISO 8601 timestamp indicating when the consent will automatically expire. After this time, the consent can no longer be used for data fetching.
fetchTypestringThe type of data fetch allowed by this consent. PERIODIC allows multiple fetches within the validity period. ONETIME allows only a single data fetch, after which the consent becomes unusable.
fiTypesarrayArray of Financial Information types that this consent covers. Examples: DEPOSIT, TERM_DEPOSIT, RECURRING_DEPOSIT, SIP, MUTUAL_FUNDS, INSURANCE_POLICIES, etc.
fipIdstringThe Financial Information Provider (typically a bank or financial institution) identifier for which this consent was approved.
maskedAccountNumberstringThe customer’s account number at the FIP, with most digits masked for privacy. Format typically shows last 4 digits: XXXXXXXX1234.

Empty Result Response

If no consents are found for the specified mobile number and product ID combination: 
{
  "ver": "1.21.0",
  "status": "success",
  "data": []
}

Error Response (400 Bad Request)

When the request contains invalid data or fails validation: 
{
  "ver": "1.21.0",
  "timestamp": "2025-10-01T11:43:37.741Z",
  "errorCode": "InvalidRequest",
  "errorMsg": " [ mobileNumber must be valid 10 digit ] "
}
FieldTypeDescription
verstringThe version of the FinPro API that processed this request.
timestampstringISO 8601 formatted timestamp indicating when the error occurred. Useful for debugging and correlating with server logs.
errorCodestringA human-readable error code indicating the category of error. Common values include InvalidRequest, AuthenticationFailed, etc.
errorMsgstringA detailed error message explaining what went wrong. This provides specific information about which field or validation rule caused the failure.

Common Error Codes

Error CodeStatus CodeDescriptionResolution
InvalidRequest400The request body contains invalid data or missing required fields.Verify that both mobileNumber and productID are present and correctly formatted.
InvalidMobileNumber400The mobileNumber is not a valid 10-digit number.Ensure the mobile number is exactly 10 digits without country code, spaces, or special characters.
InvalidProductID400The specified productID does not exist or is not configured for your organization.Verify the product ID in the FinPro admin portal and ensure it’s active.
AuthenticationFailed401The provided credentials (client_id, client_secret, organisationId) are invalid or expired.Verify your credentials in the FinPro admin portal. Ensure you’re using the correct credentials for the environment.

Example Request

curl --location '{{Base_URL}}/getconsentslist' \
--header 'Content-Type: application/json' \
--header 'client_id: {{Client_Id}}' \
--header 'client_secret: {{Client_Secret}}' \
--header 'organisationId: {{Organisation_Id}}' \
--header 'appIdentifier: {{App_Identifier}}' \
--data '{
    "mobileNumber": "9876543210",
    "productID": "TESTWM01"
}'

Use Cases

Show customers all their consents with different institutions: 
async function loadConsentDashboard(mobileNumber, productID) {
  const response = await getConsentsList(mobileNumber, productID);
  const consents = response.data;

  // Organize by status
  const organized = {
    active: consents.filter(c => c.status === 'ACTIVE'),
    pending: consents.filter(c => c.status === 'PENDING'),
    revoked: consents.filter(c => c.status === 'REVOKED'),
    expired: consents.filter(c => c.status === 'EXPIRED')
  };

  return organized;
}

Checking for Existing Active Consents

Before creating a new consent, check if one already exists: 
def has_active_consent(mobile_number, product_id, fip_id):
    """Check if customer already has an active consent for a specific FIP"""
    response = get_consents_list(mobile_number, product_id)

    for consent in response['data']:
        if consent['status'] == 'ACTIVE' and consent['fipId'] == fip_id:
            return True, consent['consentID']

    return False, None

# Usage
has_consent, consent_id = has_active_consent('9876543210', 'TESTWM01', 'HDFC-FIP')
if has_consent:
    print(f"Active consent already exists: {consent_id}")
else:
    # Proceed to create new consent
    pass
Generate compliance reports showing consent history: 
function generateConsentAuditReport(consents) {
  return consents.map(consent => ({
    consentID: consent.consentID,
    status: consent.status,
    fipName: consent.fipId,
    accountNumber: consent.maskedAccountNumber,
    createdDate: new Date(consent.createdOn).toLocaleDateString(),
    expiryDate: new Date(consent.consentExpiry).toLocaleDateString(),
    daysActive: calculateDaysBetween(consent.createdOn, consent.modifiedOn),
    dataTypes: consent.fiTypes.join(', ')
  }));
}

Best Practices

  1. Cache Consent Lists: The consent list doesn’t change frequently. Cache the results for a reasonable duration (e.g., 5-10 minutes) to reduce API calls.
  2. Status Filtering: After retrieving the list, filter on the client side based on your needs (active consents for data fetching, pending for reminders, etc.).
  3. Combine with Webhooks: Use this API to populate initial state, then rely on webhooks for real-time updates rather than polling repeatedly.
  4. Error Handling: Always check the status field and handle empty arrays gracefully when no consents exist.
  5. Display Masked Data: When showing consent information to customers, use the maskedAccountNumber to protect privacy while allowing customers to identify their accounts.

API Version Comparison

  • V1 (this API): Uses mobile number as identifier. Returns flat list of all consents for the product. No pagination or advanced filtering.
  • V2: Uses flexible party identifiers (mobile, email, PAN). Returns similar flat list with enhanced filtering based on identifier type and account ID.
  • V1 Unique Accounts: Provides deduplicated view with unique accounts per FIP. Supports status filtering and pagination for large result sets.
Choose this API when:
  • You need simple, straightforward consent listing by mobile number
  • Your result sets are small to medium sized
  • You don’t require advanced filtering or pagination
  • You want the most compatible API version with legacy systems