What is the difference between consent and authorization?

Authorization determines whether a request is technically permitted (valid token, correct scopes). Consent determines whether the data owner has agreed to the specific data sharing. A request can be authorized but not consented—the agent has valid credentials but the data owner hasn't approved the sharing. Both must be satisfied for data access.

How granular can consent scopes be?

Consent scopes map directly to your data model, so granularity matches your schema. You can define scopes at the table level ("transactions"), column level ("transaction_amount"), or even row level ("transactions where category=groceries"). Most implementations use column-level granularity.

How do on-behalf-of consent flows work?

An agent can request consent delegation from another agent that already holds consent. The delegating agent specifies which subset of its scopes to delegate and the purpose limitation. The delegation is recorded as a chain, and the delegated consent cannot exceed the parent consent's scope or duration.

How does consent renewal work for autonomous agents?

Trusted agents (based on registry tier) can be configured for auto-renewal: when consent nears expiry, a renewal event is triggered and automatically approved based on pre-configured rules. Untrusted agents trigger a renewal request that requires human approval through the consent dashboard.

Is the consent system GDPR-compatible?

Yes. The consent system supports GDPR requirements including: specific purpose limitation, data minimization through field-level scoping, right to withdrawal (instant revocation), records of processing activities (audit trail), and data portability (consent export). Consent records include all GDPR-required metadata.

How does consent work in multi-agent workflows?

Multi-agent workflows use delegation chains. The primary agent holds direct consent from the data owner and delegates subsets to collaborating agents. Each agent in the chain receives a consent token that encodes its specific scope, purpose, and the delegation path. Revoking any link in the chain cascades to all downstream agents.

Can consent be partially revoked?

Yes. Data owners can revoke individual scopes within a consent record without revoking the entire consent. For example, a data owner might revoke access to transaction data while maintaining access to account balance data. Partial revocation takes effect immediately.

What happens when an agent accesses data outside its consented purpose?

The data API rejects the request and logs a policy violation event. Repeated violations trigger automated alerts and can result in temporary access suspension or tier demotion in the Agent Registry. The violation audit trail is available for compliance reporting.

AI Agents

Consent Management

Data Provider

AI Agent Consent Management for Data Sharing

Traditional consent flows were designed for humans: click a checkbox, read a privacy policy, press accept. AI agents don't click checkboxes. They need programmatic consent—machine-readable permissions that define exactly what data they can access, for what purpose, and for how long. Fiskil's consent management system is built for this reality.

Human Consent Flows Don't Work for Machines

Traditional consent mechanisms were designed for human interaction. When autonomous AI agents need data access, browser-based flows, all-or-nothing permissions, and manual renewal processes break down completely.

—
Browser-based consent flows don't work for machine-to-machine data access
—
Human consent granularity (all-or-nothing) is too coarse for targeted agent access
—
No standard for purpose limitation in agent-to-agent or agent-to-API contexts
—
Consent renewal requires human intervention that autonomous agents cannot provide
—
On-behalf-of consent delegation lacks audit trails and revocation chains

Programmatic Consent for the Agentic Economy

A consent API designed from the ground up for machine-to-machine interactions. Field-level granularity, purpose limitation, time-bounded access windows, and automated lifecycle management—all through machine-readable consent tokens.

Capabilities

Key Capabilities

Programmatic Consent API

A REST API for creating, querying, and managing consent records. Agents request consent programmatically, specifying scopes, purposes, and duration. Human data owners approve through a parallel notification flow or pre-configured rules.

Field-Level Granularity

Consent scopes map to individual fields in your data model. An agent can be granted access to account balances but not transaction details, or to aggregate statistics but not individual records. Every field is independently controllable.

Purpose Limitation Enforcement

Each consent record specifies the permitted purpose (analytics, advisory, processing, risk assessment). The data API validates that each request matches the stated purpose, rejecting requests that attempt to use data outside the consented purpose.

Automated Consent Lifecycle

Time-bounded consent with configurable expiry, automated renewal for trusted agents, and cascading revocation across delegation chains. No manual intervention needed for routine consent management.

Implementation

Implementation Guide

Implementing programmatic consent typically takes 1–3 weeks depending on the complexity of your data model and the number of consent scopes needed.

Define Consent Scopes

Map your data model to consent scopes. Each scope represents a logical grouping of fields that are typically consented together. Define scope hierarchies (e.g., "financial:transactions" is a subset of "financial") for efficient consent management.

Configure Purpose Categories

Define the purpose categories that agents can request: analytics, advisory, processing, risk assessment, reporting, and any custom categories specific to your domain. Each purpose maps to allowed operations and retention periods.

Set Time Limits and Renewal Policies

Configure default and maximum time limits for each scope-purpose combination. Set up automated renewal policies for trusted agents (based on registry tier) and define the renewal notification workflow for cases requiring human approval.

Enable Audit Logging

Configure comprehensive audit logging for all consent events: creation, modification, access, renewal, and revocation. Set up real-time event streaming for compliance dashboards and incident response workflows.

Features

Key Features

Machine-Readable Consent Tokens

JWT-based consent tokens that encode scope, purpose, time limits, and delegation information. Agents present consent tokens with data requests, enabling stateless consent verification at the API gateway layer.

Field-Level Access Control

Data responses are automatically filtered based on consented fields. Agents only receive the specific data elements they have consent to access, with non-consented fields redacted or omitted entirely.

Purpose-Bound Permissions

Consent records bind data access to a specific purpose. The system tracks data lineage to ensure that data accessed for "analytics" is not repurposed for "marketing" without separate consent.

Time-Bounded Access Windows

Consent automatically expires after the configured time window. Agents receive warnings before expiry and can request renewal through the consent API. Expired consent immediately blocks data access.

Delegation Chains

Support for multi-level consent delegation where Agent A delegates a subset of its consent to Agent B. The full delegation chain is recorded, and revoking consent at any level cascades to all downstream delegates.

Consent Analytics Dashboard

Visualize consent patterns across your data ecosystem. Track which scopes are most requested, which purposes dominate, how often consent is renewed vs revoked, and identify unusual consent patterns that may indicate misuse.

"Partnering with Fiskil on our open data needs has been a game-changer for us in delivering and maintaining our data holder solution."

Fahad Liaqat at Pacific Blue

Executive Manager Operations and New Markets

FAQs

Explore More Use Cases

AI Data Access

Auth0 Integration

Combine Auth0 identity management with Fiskil Data Provider for enterprise-grade AI data sharing. FAPI 2.0 security, consent management, and audit trails on top of your existing Auth0 infrastructure.

AI Agents

Agent Registry

Register, verify, and manage AI agents accessing your enterprise data. Fiskil's Agent Registry provides identity verification, risk scoring, certification tracking, and access tier management for the agentic AI economy.

Open Banking

Compliance Automation

Automate ongoing open banking compliance with regulatory reporting, audit trail management, standard auto-updates, and compliance dashboard. Significantly reduce compliance costs with Fiskil Data Provider.

Get started today

Talk to us about what you're building and we'll show you how we can help.

Speak with a Fiskil integration expert today

Loading Contact Form...