> ## Documentation Index
> Fetch the complete documentation index at: https://developer.moneyone.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Revoke Consent

> Revoke an active consent to immediately terminate data sharing authorization and prevent future data fetches.

## Overview

The Revoke Consent API allows Financial Information Users (FIUs) to programmatically revoke an active consent, immediately terminating the data sharing authorization granted by the customer. Once revoked, the consent can no longer be used to fetch financial information, and any scheduled periodic data fetches will be cancelled.

Consent revocation is a critical component of consent lifecycle management and is required for regulatory compliance under the Account Aggregator framework. This API should be used when:

* The customer explicitly requests to revoke their consent through your application interface
* A loan application is completed or cancelled, and continued data access is no longer needed
* Your business logic determines that data sharing should be terminated (e.g., customer account closure, product expiry)
* You need to comply with data minimization principles by revoking consent as soon as the business purpose is fulfilled

Revocation is an irreversible operation. Once a consent is revoked, it cannot be reactivated. The customer would need to go through the complete consent creation flow again to grant new authorization for data sharing.

## Endpoint

<CodeGroup>
  ```bash Request theme={null}
  POST {{Base_URL}}/revokeconsent
  ```
</CodeGroup>

## Authentication

This API requires authentication through the following headers that must be included in every request:

| Header           | Type   | Required | Description                                                                                                                                                             |
| ---------------- | ------ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Content-Type`   | string | Yes      | Must be set to `application/json` to indicate the request body format.                                                                                                  |
| `client_id`      | string | Yes      | Your unique client identifier provided by MoneyOne during FIU onboarding. This credential identifies your organization in the FinPro system.                            |
| `client_secret`  | string | Yes      | Your confidential client secret provided by MoneyOne. This must be kept secure and never exposed in client-side code or public repositories.                            |
| `organisationId` | string | Yes      | Your organization's unique identifier in the FinPro system. This is assigned during onboarding and links all API calls to your FIU entity.                              |
| `appIdentifier`  | string | Yes      | Application-specific identifier that helps track which application or service within your organization is making the API call. Useful for multi-application FIU setups. |

## Request Body

The request body must be a JSON object containing the following parameter:

| Parameter   | Type   | Required | Description                                                                                                                                                                                                                                                                                                  |
| ----------- | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `consentID` | string | Yes      | The unique consent identifier that was assigned by the Account Aggregator when the customer approved the consent. This is the `consentID` field returned in consent list APIs or provided in consent approval webhook notifications. This must be an active, valid consent ID to be eligible for revocation. |

### Important Notes

* **Consent ID Format**: The consent ID is a UUID (Universally Unique Identifier) typically in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`. Ensure you're using the correct consent ID and not confusing it with the consent handle.
* **Active Consents Only**: Only consents in `ACTIVE` or `PAUSED` status can be revoked. Attempting to revoke a consent that is already `REVOKED`, `REJECTED`, `EXPIRED`, or `PENDING` will result in an error.
* **Consent Handle vs Consent ID**: Do not confuse the consent handle (created during consent request) with the consent ID (assigned after approval). Only the consent ID can be used for revocation, and it's only available after the customer approves the consent.
* **Irreversible Action**: Revocation cannot be undone. After revoking, you'll need to create a new consent request if data access is needed again.

## Response

### Success Response (200 OK)

When the consent is successfully revoked, the API returns a simple confirmation message:

<CodeGroup>
  ```json Success Response theme={null}
  {
    "ver": "1.21.0",
    "status": "success",
    "message": "Successfully revoked."
  }
  ```
</CodeGroup>

| Field     | Type   | Description                                                                                                                                                      |
| --------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ver`     | string | The version of the FinPro API that processed this request. Useful for debugging and version tracking.                                                            |
| `status`  | string | Overall API call status. Will be `success` when the revocation was processed successfully.                                                                       |
| `message` | string | A human-readable confirmation message indicating that the consent was successfully revoked. This message can be displayed to users or logged for audit purposes. |

### Post-Revocation Behavior

After successful revocation:

1. **Immediate Effect**: The consent status changes to `REVOKED` immediately. Any in-flight or future data fetch requests using this consent will be rejected.
2. **Webhook Notification**: If you have webhook subscriptions configured for consent revocation events, a webhook notification will be triggered with event type `CONSENT` and event status `CONSENT_REVOKED`.
3. **Data Access Termination**: The FIP will be notified about the revocation, and the customer's data will no longer be accessible through this consent.
4. **Audit Trail**: The revocation event is recorded in the consent audit trail with timestamp and source information for compliance and record-keeping purposes.

### Error Response (400 Bad Request) - Already Revoked

When attempting to revoke a consent that is already in revoked status:

<CodeGroup>
  ```json Already Revoked Error theme={null}
  {
    "ver": "1.21.0",
    "timestamp": "2025-10-01T11:44:44.115Z",
    "errorCode": "InvalidStatus",
    "errorMsg": "Consent ID is already in REVOKED state"
  }
  ```
</CodeGroup>

### Error Response (400 Bad Request) - Invalid Consent ID

When the provided consent ID doesn't exist or is invalid:

<CodeGroup>
  ```json Invalid Consent ID Error theme={null}
  {
    "ver": "1.21.0",
    "timestamp": "2025-10-01T11:45:12.330Z",
    "errorCode": "InvalidRequest",
    "errorMsg": "Invalid consent ID or consent not found"
  }
  ```
</CodeGroup>

### Error Response (400 Bad Request) - Invalid Status

When attempting to revoke a consent in a status that doesn't allow revocation (e.g., PENDING, REJECTED, EXPIRED):

<CodeGroup>
  ```json Invalid Status Error theme={null}
  {
    "ver": "1.21.0",
    "timestamp": "2025-10-01T11:45:30.221Z",
    "errorCode": "InvalidStatus",
    "errorMsg": "Consent cannot be revoked in current status: PENDING"
  }
  ```
</CodeGroup>

| Field       | Type   | Description                                                                                                                                                           |
| ----------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ver`       | string | The version of the FinPro API that processed this request.                                                                                                            |
| `timestamp` | string | ISO 8601 formatted timestamp indicating when the error occurred. Useful for debugging and correlating with server logs.                                               |
| `errorCode` | string | A human-readable error code indicating the category of error. Common values include `InvalidStatus`, `InvalidRequest`, `AuthenticationFailed`, etc.                   |
| `errorMsg`  | string | A detailed error message explaining what went wrong. This provides specific information about why the revocation failed and what the current state of the consent is. |

## Common Error Codes

| Error Code             | Status Code | Description                                                                                                                                                              | Resolution                                                                                                                                      |
| ---------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `InvalidRequest`       | 400         | The request body is malformed, missing the consent ID, or contains an invalid consent ID format.                                                                         | Verify that the `consentID` field is present and contains a valid UUID format. Check that you're using the consent ID (not consent handle).     |
| `InvalidStatus`        | 400         | The consent is not in a status that allows revocation. This occurs when trying to revoke consents that are already `REVOKED`, `REJECTED`, `EXPIRED`, or still `PENDING`. | Check the current consent status using the Consent List APIs before attempting revocation. Only `ACTIVE` and `PAUSED` consents can be revoked.  |
| `ConsentNotFound`      | 404         | The specified consent ID does not exist in the system or does not belong to your organization.                                                                           | Verify that you're using the correct consent ID. Check that the consent belongs to your organization by querying the Consent List APIs first.   |
| `AuthenticationFailed` | 401         | The provided credentials (client\_id, client\_secret, organisationId) are invalid or expired.                                                                            | Verify your credentials in the FinPro admin portal. Ensure you're using the correct credentials for the environment (UAT vs Production).        |
| `UnauthorizedAccess`   | 403         | The consent exists but belongs to a different organization, or you don't have permission to revoke it.                                                                   | Ensure the consent was created by your organization. Verify that your API credentials have the necessary permissions for revocation operations. |

## Example Request

<CodeGroup>
  ```bash cURL theme={null}
  curl --location '{{Base_URL}}/revokeconsent' \
  --header 'Content-Type: application/json' \
  --header 'client_id: {{Client_Id}}' \
  --header 'client_secret: {{Client_Secret}}' \
  --header 'organisationId: {{Organisation_Id}}' \
  --header 'appIdentifier: {{App_Identifier}}' \
  --data '{
      "consentID": "20918495-ea9c-4508-a1b4-93ca1fbfd0f3"
  }'
  ```

  ```javascript JavaScript theme={null}
  async function revokeConsent(consentID) {
    try {
      const response = await fetch('{{Base_URL}}/revokeconsent', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          'client_id': '{{Client_Id}}',
          'client_secret': '{{Client_Secret}}',
          'organisationId': '{{Organisation_Id}}',
          'appIdentifier': '{{App_Identifier}}'
        },
        body: JSON.stringify({ consentID })
      });

      const data = await response.json();

      if (response.ok) {
        console.log('Consent revoked successfully:', data.message);
        return { success: true, message: data.message };
      } else {
        console.error('Failed to revoke consent:', data.errorMsg);
        return { success: false, error: data.errorMsg, code: data.errorCode };
      }
    } catch (error) {
      console.error('Network error:', error);
      return { success: false, error: error.message };
    }
  }

  // Usage
  const result = await revokeConsent('20918495-ea9c-4508-a1b4-93ca1fbfd0f3');
  if (result.success) {
    // Update UI to reflect revoked status
    console.log('Consent successfully revoked');
  } else {
    // Handle error appropriately
    console.error('Revocation failed:', result.error);
  }
  ```

  ```python Python theme={null}
  import requests

  def revoke_consent(consent_id: str) -> dict:
      """Revoke an active consent"""
      url = "{{Base_URL}}/revokeconsent"
      headers = {
          "Content-Type": "application/json",
          "client_id": "{{Client_Id}}",
          "client_secret": "{{Client_Secret}}",
          "organisationId": "{{Organisation_Id}}",
          "appIdentifier": "{{App_Identifier}}"
      }
      payload = {"consentID": consent_id}

      try:
          response = requests.post(url, json=payload, headers=headers)
          data = response.json()

          if response.status_code == 200:
              return {
                  'success': True,
                  'message': data.get('message', 'Successfully revoked')
              }
          else:
              return {
                  'success': False,
                  'error': data.get('errorMsg', 'Unknown error'),
                  'error_code': data.get('errorCode', 'Unknown')
              }
      except Exception as e:
          return {
              'success': False,
              'error': str(e)
          }

  # Usage
  result = revoke_consent('20918495-ea9c-4508-a1b4-93ca1fbfd0f3')
  if result['success']:
      print(f"Success: {result['message']}")
  else:
      print(f"Error: {result['error']}")
  ```
</CodeGroup>

## Use Cases

### Customer-Initiated Revocation

Allow customers to revoke consents from their account settings:

```javascript theme={null}
class ConsentManager {
  async revokeConsentWithConfirmation(consentID, consentDetails) {
    // Show confirmation dialog to user
    const confirmed = await this.confirmRevocation(consentDetails);

    if (!confirmed) {
      return { cancelled: true };
    }

    // Proceed with revocation
    const result = await revokeConsent(consentID);

    if (result.success) {
      // Log for audit trail
      await this.logRevocation(consentID, 'CUSTOMER_INITIATED');

      // Update UI
      this.updateConsentStatus(consentID, 'REVOKED');

      // Show success message
      this.showNotification('Your consent has been revoked successfully');
    } else {
      // Handle error
      this.showError(`Failed to revoke consent: ${result.error}`);
    }

    return result;
  }

  async confirmRevocation(consentDetails) {
    return window.confirm(
      `Are you sure you want to revoke consent for ${consentDetails.fipName}?\n` +
      `Account: ${consentDetails.maskedAccountNumber}\n` +
      `This action cannot be undone.`
    );
  }
}
```

### Automatic Revocation After Loan Completion

Revoke consents automatically when business purpose is fulfilled:

```python theme={null}
def handle_loan_completion(loan_application_id):
    """Automatically revoke consents when loan is disbursed or rejected"""
    # Get all active consents for this loan application
    account_id = f"LOAN_{loan_application_id}"
    consents = get_consents_v2(
        identifier_type='MOBILE',
        identifier_value=loan_application.customer_mobile,
        product_id='LOAN_UNDERWRITING',
        account_id=account_id
    )

    # Revoke all active consents
    revocation_results = []
    for consent in consents['data']:
        if consent['status'] == 'ACTIVE' and consent['consentID']:
            result = revoke_consent(consent['consentID'])
            revocation_results.append({
                'consent_id': consent['consentID'],
                'fip_id': consent.get('fipId'),
                'result': result
            })

            # Log for compliance audit
            log_consent_revocation(
                loan_application_id=loan_application_id,
                consent_id=consent['consentID'],
                reason='LOAN_COMPLETED',
                success=result['success']
            )

    return revocation_results
```

### Batch Revocation for Expired Products

Revoke consents for products that are no longer active:

```javascript theme={null}
async function bulkRevokeExpiredProductConsents(productID, mobileNumbers) {
  const results = {
    success: [],
    failed: [],
    alreadyRevoked: []
  };

  for (const mobile of mobileNumbers) {
    try {
      // Get consents for this customer and product
      const consents = await getConsentsList(mobile, productID);

      for (const consent of consents.data) {
        if (consent.status === 'ACTIVE' && consent.consentID) {
          const result = await revokeConsent(consent.consentID);

          if (result.success) {
            results.success.push({
              mobile,
              consentID: consent.consentID,
              fipId: consent.fipId
            });
          } else if (result.error.includes('already in REVOKED state')) {
            results.alreadyRevoked.push(consent.consentID);
          } else {
            results.failed.push({
              mobile,
              consentID: consent.consentID,
              error: result.error
            });
          }
        }
      }
    } catch (error) {
      console.error(`Error processing consents for ${mobile}:`, error);
      results.failed.push({ mobile, error: error.message });
    }
  }

  return results;
}
```

### Revocation with Status Verification

Verify consent status before attempting revocation:

```python theme={null}
def safe_revoke_consent(consent_id: str) -> dict:
    """Revoke consent with pre-revocation status check"""
    # First, verify the consent exists and is in revocable status
    # This requires having the customer's mobile and product ID
    # In practice, you'd retrieve this from your database

    try:
        result = revoke_consent(consent_id)

        if result['success']:
            return {
                'status': 'SUCCESS',
                'message': result['message'],
                'consent_id': consent_id
            }
        elif 'already in REVOKED state' in result.get('error', ''):
            return {
                'status': 'ALREADY_REVOKED',
                'message': 'Consent was already revoked',
                'consent_id': consent_id
            }
        else:
            return {
                'status': 'ERROR',
                'error': result['error'],
                'error_code': result.get('error_code'),
                'consent_id': consent_id
            }
    except Exception as e:
        return {
            'status': 'EXCEPTION',
            'error': str(e),
            'consent_id': consent_id
        }
```

## Best Practices

1. **User Confirmation**: Always require explicit user confirmation before revoking consents initiated through customer interfaces. Display relevant consent details (FIP name, account number, data types) in the confirmation dialog.

2. **Audit Logging**: Log all revocation attempts (both successful and failed) with timestamp, reason, and initiating user/system for compliance and debugging purposes.

3. **Status Verification**: Before attempting revocation, verify that the consent is in `ACTIVE` or `PAUSED` status to avoid unnecessary error responses. Use the Consent List APIs to check current status.

4. **Error Handling**: Handle "already revoked" errors gracefully - this is a common scenario when multiple systems or processes might attempt to revoke the same consent.

5. **Webhook Integration**: Configure webhook subscriptions for revocation events so your system can react to revocations initiated by customers through the AA interface or other channels.

6. **Data Cleanup**: After revoking consent, consider triggering data retention policies to delete or archive any financial information that was fetched using the revoked consent, in accordance with your privacy policy.

7. **Customer Communication**: Notify customers when consents are revoked, especially for system-initiated revocations. Include information about why the revocation occurred and how to grant new consent if needed.

8. **Idempotency Consideration**: Implement idempotent revocation logic in your application. If a revocation request fails or times out, it should be safe to retry without causing issues.

## Regulatory Considerations

Consent revocation is a key requirement under the Account Aggregator framework and data protection regulations:

* **Right to Withdraw**: Customers have the right to withdraw consent at any time. Your application must provide easily accessible mechanisms for consent revocation.
* **Immediate Effect**: Revocation must take effect immediately upon processing. Continuing to fetch data after revocation is a regulatory violation.
* **Transparency**: Maintain clear audit trails showing when consents were revoked, by whom, and for what reason.
* **Data Deletion**: Consider implementing automatic data deletion policies triggered by consent revocation to comply with data minimization principles.
* **Customer Access**: Customers should be able to view their revocation history and understand which consents are active vs revoked.

## Integration with Webhooks

When you revoke a consent via this API, your webhook endpoint (if configured) will receive a notification:

<CodeGroup>
  ```json Revoke Webhook theme={null}
  {
    "timestamp": "2025-10-01T12:00:00.000Z",
    "consentHandle": "8b5b9333-00df-4b99-99d8-b0918f897e7b",
    "eventType": "CONSENT",
    "eventStatus": "CONSENT_REVOKED",
    "consentId": "20918495-ea9c-4508-a1b4-93ca1fbfd0f3",
    "vua": "9876543210@onemoney",
    "productID": "TESTWM01",
    "accountID": "test123",
    "revokedBy": "FIU",
    "revocationReason": "API_INITIATED"
  }
  ```
</CodeGroup>

Use this webhook to:

* Update consent status in your database
* Trigger data cleanup processes
* Notify relevant internal systems
* Update customer-facing dashboards in real-time

## Related APIs

* **Consent List APIs**: Use these to retrieve consent IDs before revocation
* **Consent Request APIs**: Create new consents if a revoked consent needs to be replaced
* **Data Management APIs**: Any data fetch operations using revoked consent IDs will fail


## OpenAPI

````yaml POST /revokeconsent
openapi: 3.0.3
info:
  title: FinPro API
  description: MoneyOne FinPro - Account Aggregator FIU Platform APIs
  version: 1.21.0
servers:
  - url: '{baseUrl}'
    description: FinPro API Server
    variables:
      baseUrl:
        default: https://scramblerpay-uat.moneyone.in
        description: API Base URL - change this to your environment
security:
  - clientId: []
    clientSecret: []
    organisationId: []
    appIdentifier: []
paths:
  /revokeconsent:
    post:
      tags:
        - Consent Management
      summary: Revoke Consent
      description: >-
        Revoke an active consent to immediately terminate data sharing
        authorization and prevent future data fetches. Once revoked, the consent
        cannot be reactivated and the customer would need to go through the
        complete consent creation flow again to grant new authorization. Only
        consents in ACTIVE or PAUSED status can be revoked. Revocation is an
        irreversible operation.
      operationId: revokeConsent
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RevokeConsentRequest'
            example:
              consentID: 20918495-ea9c-4508-a1b4-93ca1fbfd0f3
      responses:
        '200':
          description: Consent revoked successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RevokeConsentSuccessResponse'
              example:
                ver: 1.21.0
                status: success
                message: Successfully revoked.
        '400':
          description: >-
            Bad Request - Invalid consent ID, consent already revoked, or
            consent in non-revocable status
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                alreadyRevoked:
                  summary: Consent already revoked
                  value:
                    ver: 1.21.0
                    timestamp: '2025-10-01T11:44:44.115Z'
                    errorCode: InvalidStatus
                    errorMsg: Consent ID is already in REVOKED state
                invalidConsentId:
                  summary: Invalid or not found consent ID
                  value:
                    ver: 1.21.0
                    timestamp: '2025-10-01T11:45:12.330Z'
                    errorCode: InvalidRequest
                    errorMsg: Invalid consent ID or consent not found
                invalidStatus:
                  summary: Consent in non-revocable status
                  value:
                    ver: 1.21.0
                    timestamp: '2025-10-01T11:45:30.221Z'
                    errorCode: InvalidStatus
                    errorMsg: 'Consent cannot be revoked in current status: PENDING'
        '401':
          description: Authentication Failed - Invalid credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '403':
          description: >-
            Unauthorized Access - Consent belongs to a different organization or
            you don't have permission to revoke it
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '404':
          description: >-
            Consent Not Found - The specified consent ID does not exist in the
            system or does not belong to your organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security:
        - clientId: []
          clientSecret: []
          organisationId: []
          appIdentifier: []
components:
  schemas:
    RevokeConsentRequest:
      type: object
      required:
        - consentID
      properties:
        consentID:
          type: string
          format: uuid
          description: >-
            The unique consent identifier that was assigned by the Account
            Aggregator when the customer approved the consent. This is the
            consentID field returned in consent list APIs or provided in consent
            approval webhook notifications. Must be an active, valid consent ID
            to be eligible for revocation. Only consents in ACTIVE or PAUSED
            status can be revoked.
    RevokeConsentSuccessResponse:
      type: object
      properties:
        ver:
          type: string
          description: >-
            The version of the FinPro API that processed this request. Useful
            for debugging and version tracking.
        status:
          type: string
          description: >-
            Overall API call status. Will be 'success' when the revocation was
            processed successfully.
        message:
          type: string
          description: >-
            A human-readable confirmation message indicating that the consent
            was successfully revoked. This message can be displayed to users or
            logged for audit purposes.
    ErrorResponse:
      type: object
      properties:
        ver:
          type: string
          description: API version
        timestamp:
          type: string
          format: date-time
          description: When the error occurred
        errorCode:
          type: string
          description: Error category code
        errorMsg:
          type: string
          description: Detailed error message
        status:
          type: string
          description: FinPro-specific error code (FPxxxx format)
  securitySchemes:
    clientId:
      type: apiKey
      in: header
      name: client_id
      description: Your unique client identifier provided by MoneyOne during FIU onboarding
    clientSecret:
      type: apiKey
      in: header
      name: client_secret
      description: Your confidential client secret provided by MoneyOne
    organisationId:
      type: apiKey
      in: header
      name: organisationId
      description: Your organization's unique identifier in the FinPro system
    appIdentifier:
      type: apiKey
      in: header
      name: appIdentifier
      description: Application-specific identifier for tracking API calls

````