Written by

Sumeshwar Pandey

View Profile
12 min read
India DPDP Act JWT Consent tokens

Consent Token vs JWT: Designing Permission-Aware Systems

How Indian B2B engineering teams can layer consent tokens on top of JWT-based identity to enforce DPDP Act purposes, revocation, and auditability.
Key takeaways
  • JWTs are standardized containers for signed claims, but they do not by themselves model consent or DPDP obligations; consent needs its own lifecycle and semantics.
  • Treating consent tokens as first-class artifacts that reference durable consent records enables independent revocation, purpose limitation, and stronger audit trails.
  • Separating authentication (identity), authorization (actions), and consent (legal basis) reduces coupling and makes DPDP-driven changes easier to implement across services.
  • Long-lived JWTs with embedded consent flags tend to create stale-permission and audit gaps; short-lived tokens plus a central consent ledger mitigate many of these failure modes.
  • A validation matrix, integration checklist, and targeted failure tests give technical evaluators concrete tools to assess in-house consent-token designs and external consent platforms.

Why consent tokens are being discussed alongside JWTs in India

Consider a common pattern in Indian B2B SaaS today. Your platform already uses OAuth 2.0 with JWT access tokens for login and API authorization. Enterprise customers authenticate via SSO, the gateway checks scopes, and microservices trust the signed JWT. Then your customer’s DPO, preparing for a DPDP Act audit, asks a pointed question: for each API call that moved personal data, can you show which data principal consented, for which purpose, when, and how withdrawal would have stopped that call? At that moment, a boolean marketing_opt_in flag in a profile table and a generic "scope: read:profile" claim in a JWT stop looking adequate.
The DPDP Act expects data fiduciaries to obtain consent that is free, informed, specific, and unambiguous, and to respect rights such as withdrawal. Even when your organisation is acting primarily as a data processor to enterprise clients, you are the one running the software that actually moves data. Regulators and large customers will increasingly expect that you can show, in a machine-verifiable way, that each processing activity was linked to a valid consent (or another lawful ground) and that revocations propagate through your stack.[3]
Most existing token designs in Indian B2B systems were built for two questions: "Who is this actor?" and "What can they do in the application?" Those map cleanly to authentication and authorization. DPDP adds a third question that is different in nature: "Are we allowed to process this specific piece of data for this specific purpose at this time?" That is a consent question, and its lifecycle often cuts across products, tenants, and processors.
Once teams recognise that distinction, they start asking whether they can simply stuff more consent-related claims into existing JWTs, or whether consent needs its own artifact: a consent token that points to a durable consent record. The JWT vs consent-token discussion in India is really about that design choice: overload an identity and authorization token with legal semantics, or introduce a dedicated, independently revocable representation of consent that your systems can enforce and audit.

Conceptual model: JWTs, consent tokens, and DPDP constructs

JWTs, as defined in the JSON Web Token specification, are a compact way to represent claims between parties. A JWT has a header (algorithm and type), a payload (a JSON object of claims), and a signature or MAC. Typical registered claims include iss (issuer), sub (subject), aud (audience), exp (expiry), nbf (not before), iat (issued at), and jti (token identifier). The standard specifies syntax and validation rules for the token itself, but it does not prescribe what your application-specific claims mean, how long tokens should live, or how you should model consent. Those semantics are left entirely to implementers.[1]
In most architectures, JWTs are used in two main roles. Identity tokens assert who the user is and are consumed by the client or relying party. Access tokens express what the client can do against an API, often via scopes, roles, or permissions encoded as claims. Both are about system behaviour: allowed operations, resources, and sessions. Neither, by default, encodes the legal basis for processing under a data protection law.[2]
A consent token, in contrast, is not a separate internet standard but a design pattern. It is a structured artifact that represents the state of a particular consent decision: which data principal, under which data fiduciary, for which purposes, over which categories of data, with what status (granted, withdrawn, expired), and with links back to the notice that was shown. The full details typically live in a consent record or consent receipt stored in a database or ledger; the consent token is a compact, signed or otherwise verifiable reference to that record, optimized for machines to pass around and check quickly.[5]
Under the DPDP Act, for processing that is based on consent rather than other grounds, the data fiduciary should be able to evidence the notice that was given, the purposes for which data was collected and processed, and any withdrawal or modification. In technical terms, that means being able to map from a concrete processing event, such as an API call loading health records into an analytics pipeline, back to a specific consent record with a clear purpose code, timestamps, and provenance. JWTs answer "who" and "what"; consent tokens and their backing records answer "under what lawful basis and purpose".[3]
It is useful to keep three layers conceptually separate even if they are all implemented with JWTs under the hood. Authentication verifies identity, typically via an IdP that issues an ID token. Authorization determines which application actions an actor can perform, usually via access tokens with scopes or roles. Consent expresses whether a particular processing of personal data is legally permitted for a given purpose, which is where consent tokens, consent receipts, and consent ledgers come in. Your architecture works better when each layer has its own lifecycle, issuers, and revocation rules, even if they share technical plumbing.
Summary of how JWTs and consent tokens map to technical and DPDP concepts.[1]
Aspect JWT Consent token pattern DPDP relevance
Primary focus Transmits claims about identity, sessions, or authorization between parties in a compact, signed JSON structure. Represents the state of a specific consent decision and links to a durable consent record or receipt. Helps demonstrate which consent decision applies to a processing event, not just who acted or which role they had.
Standardisation Defined by a formal internet standard that specifies token structure and validation rules. No standalone standard; implemented as an application-specific token or identifier issued by a consent service. Gives data fiduciaries and processors flexibility but also puts responsibility on them to define consent semantics and governance.
Lifecycle and revocation Token lifetime and revocation are implementation choices; many systems use short-lived tokens plus refresh mechanisms. Tied to the lifecycle of the underlying consent record (grant, update, withdrawal, expiry), often with independent status fields. Supports DPDP expectations that withdrawal stops further processing, without forcing a login session to end at the same time.
Where state lives Claims are carried inside the token; backing state may or may not be stored server-side depending on design. Token usually carries a compact view or identifier; authoritative state is in a consent ledger or database row per consent decision. A consent ledger or equivalent store becomes a system of record for notice, purpose, and withdrawal history relevant to DPDP audits.
Typical usage in architecture Used by identity providers and API gateways to authenticate actors and check scopes or roles when handling requests. Used by gateways and services to determine whether a specific processing purpose is covered by valid consent at request or job time. Helps link each data processing event back to the lawful basis and purpose that justified it under the DPDP Act.

Architectural patterns for permission-aware systems

A common Indian B2B architecture for DPDP-sensitive workloads has five building blocks: an identity provider that issues JWTs for login, an API gateway or service mesh that enforces authentication and coarse authorization, a consent management component that stores consent records and may issue consent tokens, microservices that implement business logic, and data stores and analytics pipelines that hold or process personal data. The question is where and how to wire consent checks into this flow so that every sensitive operation can be traced back to a consent record or other lawful basis.
One practical pattern is to make the API gateway the primary enforcement point for consent. The gateway already terminates TLS, validates JWT signatures, and matches routes. You extend it to also look up the "purpose" of each route or operation, such as primary treatment, credit underwriting, marketing outreach, or research analytics. For each incoming request, the gateway observes the access JWT (for subject, tenant, and client), any consent token or consent reference passed by the client, and static configuration for the route’s purpose. It then contacts a consent service or inspects embedded consent claims, decides whether consent or another lawful basis covers this purpose, attaches consent metadata to the request headers for downstream services, and records a decision log entry with correlation IDs so you can later reconstruct what happened.
API gateway consent enforcement flow
function authorize_request(request):
    access_token = parse_and_verify_jwt(request.headers['Authorization'])
    subject_id   = access_token['sub']
    tenant_id    = access_token['tenant']
    purpose_code = route_config[request.path].purpose

    // Retrieve consent status, using either a consent token from the client
    // or a lookup in the consent ledger.
    consent_ref  = request.headers.get('X-Consent-Ref')
    consent_info = consent_service.check(subject_id, tenant_id, purpose_code, consent_ref)

    decision = evaluate(access_token, consent_info, purpose_code)

    audit_log.write({
        'subject': subject_id,
        'tenant': tenant_id,
        'purpose': purpose_code,
        'consent_id': consent_info.id if consent_info else null,
        'decision': decision.outcome,
        'reason': decision.reason,
        'request_id': request.id,
        'timestamp': now()
    })

    if decision.outcome == 'deny':
        return http_403()

    // Propagate consent metadata downstream for fine-grained checks.
    request.headers['X-Consent-Id'] = consent_info.id
    request.headers['X-Consent-Purpose'] = purpose_code
    return forward_to_backend(request)
This control flow shows the gateway verifying the access JWT, resolving the relevant purpose for the route, checking consent via a consent service or reference, logging the decision with correlation identifiers, and forwarding the request with consent metadata attached when allowed.
Some organisations also perform consent checks inside individual services, especially where multiple datasets and purposes are mixed in a single call or where long-running workflows are involved. In that model, the service receives consent metadata from the gateway but still consults the consent ledger before high-risk operations such as exporting full transaction histories or sharing health records with external processors. The trade-off is complexity: pushing consent logic into many services increases the risk of inconsistent behaviour, so teams often standardise a shared consent-checking library and enforce that every service logs subject, purpose, consent identifier, and decision outcome as part of a common audit scheme.

Designing consent tokens on top of JWT-based identity

Once you have a clear separation between JWT-based identity and a consent ledger, the next design choice is how to represent consent in tokens that traverse your system. A first option is to embed consent directly into access JWTs: for example, a consent_claims object listing granted purposes, processing contexts, or flags such as marketing=true. This is straightforward to implement because your IdP or auth server already issues JWTs, and downstream services can read the claims without another network hop. However, it couples consent state tightly to token lifetime. If the JWT is valid for an hour and a data principal withdraws consent five minutes after login, all existing tokens remain technically valid, and your services will keep seeing consent=true unless you maintain a token revocation list and check it on every call. In practice many systems do not, which creates stale-consent risk.
A second option is to treat consent tokens as separate artifacts, issued by a consent service that also functions as the system of record. In this pattern, when a data principal grants consent through a UI, your consent service creates a durable consent record with a unique consent_id, purpose codes, timestamps, and references to the notice. It may then issue a compact consent token that contains fields such as consent_id, subject_id, tenant_id, allowed_purposes, status, and expiry, signed by the consent service. Access tokens carry only a reference, such as consent_ids=[...], or the client sends the consent token explicitly on each request. API gateways and services validate the consent token’s signature and status or introspect consent_id against the ledger on each call. Revocation becomes straightforward: you mark the consent record as withdrawn, and any further call using that consent_id will fail the check even if the user’s login session is still valid.
A hybrid design is often attractive in high-traffic Indian B2B environments. In this approach, the consent ledger remains the source of truth, but the system issues short-lived access JWTs that contain a snapshot of consent status for specific purposes. The snapshot might say that, for the next few minutes, purposes P1 and P2 are allowed under consent_ids C1 and C2. Gateways or services trust this snapshot within its short lifetime to avoid constant calls to the consent ledger, but they also hold the ability to refresh or re-check for sensitive operations, policy changes, or when revocation events are pushed on a message bus. This balances latency and resilience against the risk of stale consent data.
These patterns fail in different ways if implemented carelessly. Long-lived JWTs with embedded consent flags can continue to authorise processing after withdrawal; the only mitigation is aggressive token expiry and, where necessary, token revocation mechanisms at the gateway. Designs that rely on a consent ledger but forget to include consent_id or purpose metadata in logs leave you with no way to prove which consent applied to a historic event. Inconsistent purpose vocabularies across services lead to a situation where the consent record says "ANALYTICS_SECONDARY" but an ETL job treats the same operation as "RESEARCH_EXPORT", effectively bypassing purpose limitation. Outage handling is another common failure mode: if the consent service is unavailable and the gateway silently falls back to "allow if authenticated", you have lost your DPDP control surface.
Mitigations follow from treating consent as a first-class, centrally controlled concern. Maintain a canonical purpose catalogue that both consent records and APIs reference. Ensure every request that touches personal data carries a consent identifier or lawful-basis marker, and that this identifier is logged consistently. Design explicit fallback behaviour for consent-service outages: for example, fail closed for optional and secondary processing such as marketing and research, while using documented DPDP exemptions for life-and-death emergencies with extra audit logging. Keep access JWT lifetimes short enough that embedded consent snapshots age out quickly, and prefer references to a ledger over copying full consent semantics into many tokens.
Common failure modes when combining JWT-based identity with consent tokens and ledgers.
Failure mode Observable symptom Underlying cause Mitigation pattern
Long-lived JWTs with embedded consent flags Services continue to process data under consent=true after the data principal has withdrawn consent. Consent state is tightly coupled to token lifetime and there is no effective token revocation or re-check against the ledger. Shorten access-token lifetimes; rely on consent_ids or consent tokens resolved against a ledger at request time; implement token revocation checks at the gateway when necessary.
Missing consent identifiers in logs During an inquiry you cannot prove which consent, if any, applied to a historical API call or data export event. Gateways and services make consent decisions but do not persist consent_id or purpose metadata alongside request logs and job logs. Standardise audit logging to always include subject, tenant, purpose, consent_id or lawful-basis marker, and decision outcome for any operation touching personal data.
Inconsistent purpose vocabularies across services A consent record appears to allow one purpose, but downstream ETL or analytics jobs treat the same operation as a different purpose and process more broadly than intended. Teams define purpose codes independently in consent UIs, APIs, and data pipelines without a canonical catalogue or mapping layer. Create and maintain a central purpose catalogue; require that consent records, API route configuration, and batch jobs all reference these canonical codes or an explicit mapping table.
Consent service outage with "allow if authenticated" fallback During consent-service downtime, systems continue to process optional or secondary purposes even where no valid consent exists or revocation has occurred. Fallback logic in gateways or services is not explicitly defined, so engineers implement permissive behaviour to protect availability rather than data-protection guarantees. Define and implement fail-closed behaviour for consent-based purposes, allowing only operations covered by other lawful grounds or emergency exemptions when the consent service is unavailable, and log these events clearly.

Validation, integration, and rollout checklist

Evaluating a consent-token design or a vendor platform is easier when you have clear validation dimensions. The first is correctness of enforcement: for a set of test personas and consent scenarios, does the system allow only those operations that the consent record covers? You can construct test cases such as "consent only for core service, not marketing" and observe whether downstream email, WhatsApp, or analytics events are actually suppressed. The second dimension is revocation behaviour and latency: after a withdrawal event is recorded in the ledger, how quickly do gateways and services stop honouring the old consent token or consent reference, and is this observable in logs without manual correlation?[4]
A third validation dimension is auditability. For any processing event involving personal data, your platform should be able to reconstruct, from logs alone, which subject, tenant, purpose, consent identifier, and lawful basis applied, alongside the decision outcome. Sampling your logs to see whether these fields are consistently present is an effective early test. Resilience is another axis: simulate consent-service outages and network partitions, and verify that the system follows explicitly defined fallback rules rather than silently leaking into an "allow all if authenticated" posture. In B2B environments with multiple data processors, also validate how the system records which processor acted under which consent, so that fiduciary versus processor responsibilities can be disentangled during incidents.[3]
Integration work tends to cluster around a few choke points. The identity provider or auth server needs a way to bind subject identifiers and tenants to consent records, often by calling into the consent ledger during login or profile flows. The API gateway or service mesh must be extended to extract purpose metadata for each route and to talk to the consent service or validate consent tokens. Backend services should be instrumented to read consent metadata from headers and, where necessary, perform secondary checks before high-risk actions such as exports, model training, or data sharing with external processors. Data stores, ETL pipelines, and analytics systems benefit from tagging records with consent_id and purpose codes so that offline jobs can enforce purpose limitation without live tokens.
Rollout and migration deserve deliberate planning, especially for Indian B2B platforms with existing user bases and contractual SLAs. A staged approach works better than a flag day. Many teams start by modelling and enforcing a single high-risk purpose, such as marketing outreach or secondary analytics, with consent tokens and a ledger, while leaving existing coarse-grained controls for other purposes. During this period, systems often write both the old boolean flags and the new consent records, and gateways log both old and new identifiers for correlation. Historical data can be backfilled with derived consent records that reflect legacy notices, clearly marked as such. Over time, more purposes move to the consent-token model, and old checks are retired behind feature flags. Throughout, it helps to agree with legal and compliance stakeholders on acceptance criteria: what evidence they expect during a DPDP inquiry, what revocation turnaround is acceptable, and how data processors and fiduciaries will exchange consent artifacts.
Validation matrix for consent-token designs and integrations.
Dimension Key questions Example tests
Correctness of enforcement Do allowed operations exactly match the consent state and purposes recorded in the ledger for each persona? Create personas with consent only for core service, only for marketing, both, and neither; verify downstream emails, WhatsApp messages, exports, and analytics jobs align with expectations.
Revocation behaviour and latency After a withdrawal, how quickly do gateways, services, and batch jobs stop honouring previous consent tokens or references, and is this window measurable? Trigger revocation events during active sessions and scheduled jobs; measure time until further requests for that purpose are denied and confirm that logs clearly show the change in decision.
Auditability Can you reconstruct, from logs alone, which subject, tenant, purpose, consent_id, lawful basis, and decision outcome applied to a given processing event? Sample API, job, and export logs across services; verify that all required fields are present and that consent_ids resolve cleanly back to consent records in the ledger.
Resilience and fallback behaviour What happens to consent-based processing when the consent service or ledger is unavailable, slow, or partitioned from parts of the system? Induce timeouts and failures in consent-service dependencies; confirm that optional and secondary processing fails closed while emergency or non-consent-based operations follow documented rules and are logged distinctly.
Multi-processor and multi-tenant handling Does the system track which data processor or tenant acted under which consent, and can it prevent cross-tenant or cross-fiduciary data use even for the same individual? Run flows where the same subject appears under multiple tenants or processors; confirm that consent is evaluated per tenant and processor agreement, and that logs include sufficient context to allocate responsibilities in incident reviews.
A practical sequence your engineering team can follow to evaluate or roll out a consent-token design.
  1. Define and align your purpose catalogue
    Work with product, legal, and compliance stakeholders to define a canonical set of purpose codes that cover all processing in scope, and map existing APIs, jobs, and data flows to those purposes.
    • Ensure each route or batch job has a clearly identified primary purpose, plus any secondary purposes if applicable.
    • Mark which purposes are consent-based versus those relying on other lawful grounds so enforcement can differ accordingly.
  2. Bind identity and consent records
    Make sure your identity provider and consent ledger share stable subject and tenant identifiers, and that login or profile flows can look up or create consent records without ambiguity.
    • Decide which identifier (for example, a stable customer ID) is authoritative and avoid mixing emails or phone numbers directly in consent tokens.
    • Confirm that JWT claims contain enough context (subject, tenant, client) for the consent service to find the right records.
  3. Instrument gateway and services for consent enforcement
    Extend the API gateway or service mesh to resolve purposes, consult the consent ledger or validate consent tokens, and pass consent metadata to backend services, which in turn log consent-aware decisions.
    • Standardise headers for consent metadata, such as X-Consent-Id and X-Consent-Purpose, so services can consume them consistently.
    • Adopt a shared library for consent checks to avoid diverging logic across microservices.
  4. Run revocation and purpose-change tests
    Design test scenarios where data principals withdraw consent or change purposes mid-session, and verify that gateways, services, and batch jobs stop processing accordingly within an agreed time window.
    • Include tests where tokens remain valid but consent is withdrawn to ensure your architecture does not rely solely on embedded consent flags.
    • Check that audit logs make the before-and-after state of consent and decisions easy to reconstruct.
  5. Simulate outages and cross-processor flows
    Test how the system behaves when the consent service is degraded and when multiple processors or tenants are involved, ensuring fail-closed behaviour for consent-based purposes and clear allocation of responsibilities in logs.
    • Introduce artificial latency and failures in consent-service calls to validate fallback behaviour.
    • Exercise flows where a single individual exists under multiple tenants to confirm that consent does not leak across fiduciaries.

Troubleshooting consent-token deployments

Even with a sound architecture, operational issues around consent tokens and JWTs tend to cluster in a few repeatable patterns. Catching them early avoids surprises during DPDP reviews or customer audits.
  • Symptom: services keep processing data after a user withdraws consent. Fix: look for long-lived JWTs that embed consent flags, shorten their lifetime, and ensure the gateway re-evaluates consent against the ledger for each call that touches personal data rather than trusting stale snapshots.
  • Symptom: audit investigations cannot tie specific processing events to consent records. Fix: standardise logging so gateways and services always persist subject, tenant, purpose, consent_id or lawful-basis marker, and decision outcome, and verify through sampling that these fields are never omitted.
  • Symptom: different APIs or jobs make inconsistent allow/deny decisions for the same user and purpose. Fix: introduce a canonical purpose catalogue, enforce its use in route configuration and batch jobs, and centralise consent-evaluation logic in a shared library or service.
  • Symptom: latency spikes or timeouts occur when the consent service is under load, leading engineers to bypass checks. Fix: introduce controlled caching of consent results for short periods, but pair this with explicit, tested fail-closed rules for optional and secondary processing if the consent service becomes unavailable.
  • Symptom: data is processed under the wrong tenant or fiduciary context in multi-tenant SaaS. Fix: consistently include tenant identifiers and processor roles in JWT claims, consent records, and consent tokens, and validate during testing that cross-tenant access is blocked even when the same subject identifier appears in multiple tenants.

Where a platform like Digital Anumarti - Service fits into this architecture

Building and operating a consent ledger, consent-token issuance, revocation propagation, and audit views in-house is possible, but it is a significant engineering and governance investment, especially when your organisation has to support multiple sectors and data flows. A specialised consent management platform such as Digital Anumarti - Service positions itself as the dedicated consent layer in this architecture: it maintains a system of record for consent decisions, exposes APIs to capture and update those decisions, and can issue machine-verifiable consent artifacts or references that your gateways and services enforce.[6]
In practice, this kind of platform can sit alongside your existing identity provider and API gateway. Your front ends call it to capture granular, purpose-specific consent; it returns consent identifiers or tokens that you propagate through headers or claims; and it logs every grant, rejection, and withdrawal in an audit-ready ledger. Deployments described in sectors such as healthcare and diagnostics show patterns like hashed consent receipts attached to pathology reports, consent linked explicitly to processor agreements in multi-lab networks, emergency bypass flows with full access logging, and server-side preference centres that synchronise consent and marketing tools in near real time. If you prefer to adopt rather than build a consent-token-centric architecture, it is worth running a contained pilot with Digital Anumarti - Service and evaluating its token, ledger, and integration model against the validation criteria your engineering and compliance teams have defined.

How Digital Anumarti - Service supports consent-token architectures

Digital Anumarti - Service

1

Hashed consent receipts for diagnostic lab workflows

In diagnostic lab deployments, Digital Anumarti - Service generates secure, hashed consent receipts that are provided alongside final pathology reports to demonstrate that the underlying data was processed under an explicit consent decision.

Why it matters for you

This pattern lets your platform attach a verifiable consent artifact to each report delivered into a B2B2C healthcare network, strengthening the evidentiary trail when clinicians or regulators later question how patient data was shared.

2

Linking consent to specific processor agreements

Digital Anumarti - Service exposes APIs that can tie each patient’s consent to the exact data-processor agreements in place with downstream testing facilities in a diagnostic network.

Why it matters for you

For Indian B2B SaaS operating in complex fiduciary–processor chains, this linkage helps your team demonstrate which processor acted under which consent and contract, reducing ambiguity in incident handling and DPDP inquiries.

3

API-driven consent ledger integrated with clinical systems

At healthcare customers such as speciality clinics, Digital Anumarti - Service has been integrated as an API-driven consent ledger that connects directly to Electronic Health Record systems to digitise consent capture and mapping.

Why it matters for you

This shows how a consent ledger can sit close to operational systems while keeping consent state centralised, which is useful when you need consistent purpose enforcement across front-desk intake, EHR, and downstream analytics.

4

Automated revocation pipelines into cold storage

In one hospital deployment, a revocation pipeline built on Digital Anumarti - Service moves patient records from active operational databases into encrypted cold-storage retention logs when consent is withdrawn after discharge.

Why it matters for you

This illustrates how a consent-aware data flow can stop active processing while still meeting medico-legal retention needs, a pattern your team can adapt when designing revocation handling for DPDP-aligned systems.

5

Server-side preference centres wired to CRM platforms

Digital Anumarti - Service has been used to implement server-side preference centres that synchronise consent and marketing preferences into CRM platforms such as Salesforce or HubSpot using event-driven webhooks.

Why it matters for you

If your SaaS product drives outreach or lifecycle messaging, this pattern shows a practical path to keep marketing automation honouring granular consent tokens instead of relying on static opt-in flags inside CRM profiles.

6

Purpose-based enforcement at the API gateway

Deployments in diagnostic labs demonstrate that enforcing purpose limitation at the API gateway, using consent artifacts from Digital Anumarti - Service, can help separate data fiduciary versus data processor responsibilities in B2B2C healthcare flows.

Why it matters for you

For architects designing multi-tenant or B2B2C APIs, this shows how a dedicated consent layer can provide purpose decisions to the gateway so each call is evaluated under the right fiduciary and processor context.

Evidence Digital Anumarti - Brand case study – diagnostic labs

Common questions about consent tokens, JWTs, and DPDP

FAQs

There is no single correct lifetime, but the principles differ for authentication and consent. Authentication and access JWTs should generally be short-lived so that any embedded authorisation or consent snapshot ages out quickly; this limits the window in which stale claims can be used after revocation or role changes. Consent records themselves usually last as long as the lawful processing relationship, subject to retention limits, but consent tokens that convey that state to services do not need to be long-lived. Many teams keep consent as a durable record in a ledger and use consent tokens or references that are either one-time or short-lived, refreshing them as part of normal API flows. Whatever lifetimes you choose, they should be documented, consistently enforced, and tested to ensure that revocation and purpose changes propagate within an acceptable and measurable time window.

Signing and encryption solve different problems. A signature or MAC on a JWT-style consent token ensures integrity and authenticity, so services can verify that the token was issued by your consent service and has not been tampered with. Encryption protects confidentiality of the claims themselves if the token passes through untrusted clients or intermediaries. In many B2B server-to-server scenarios, it is simpler and safer to keep consent tokens opaque from the client’s perspective: the client holds only a random consent_id, and all sensitive consent details stay in your backend ledger. When you do send structured consent tokens through user agents, encryption can reduce data-leakage risk and signalling of sensitive purposes. The right choice depends on your threat model, but from a DPDP standpoint the crucial control is that only authorised components can read or alter consent state, and that detailed consent information is not unnecessarily exposed.

For offline processing such as nightly analytics jobs or data exports to partners, runtime tokens are less important than durable metadata on the data itself. A common pattern is to tag records in your data warehouse or lake with consent_id and purpose codes at the time they are ingested, based on the consent state in the ledger. Batch jobs then operate only on records whose consent_id is active for the required purpose, consulting the ledger if necessary before large runs. Audit logs for these jobs should record which consent_ids and purposes were used to select data, so you can later show that, for example, a research dataset excluded individuals who had refused secondary processing. This approach avoids relying on live tokens in batch contexts while still tying offline processing back to specific consent records.

In multi-tenant SaaS, each tenant may have its own purpose definitions, notices, and sectoral constraints, yet your platform is the one moving data. Your consent architecture therefore needs to include tenant identifiers and role information, such as which party is the data fiduciary and which is the processor, in both consent records and consent tokens or references. Purpose catalogues should either be standardised across tenants with mapping layers or clearly namespaced by tenant to avoid collisions. Gateways and services must consider both subject and tenant when resolving consent, and logs should record which tenant’s policy was applied to each decision. When integrating a consent platform, confirm that it can represent multiple fiduciaries, link consent to specific processor agreements, and restrict cross-tenant data access even if the same individual appears under multiple tenants.

A well-designed consent token and ledger model is an important enabler for DPDP compliance because it lets you enforce purpose limitation, honour withdrawal, and evidence consent decisions across distributed systems. However, it is only one part of the picture. Compliance also depends on the notices you show, how you collect consent in different channels, how you manage data minimisation and retention, how quickly you respond to access and erasure requests, how you manage third-party processors, and how you handle security incidents. Token and ledger design gives you the technical levers to implement policies, but those policies still need to be legally sound and operationally enforced. Engineering teams should therefore treat consent-token architecture as a foundation on which legal, product, and governance teams build a complete DPDP programme, rather than as a compliance guarantee on its own.

Sources
  1. RFC 7519: JSON Web Token (JWT) - Internet Engineering Task Force (IETF)
  2. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Ministry of Law and Justice, Government of India
  3. DPDP Rules, 2025 Notified – A Citizen-Centric Framework for Privacy Protection and Responsible Data Use - Press Information Bureau, Government of India
  4. Notice Obligations under the Digital Personal Data Protection Act, 2023: Clarity, Accessibility, and Multi-Language Requirements - King Stubb & Kasiva, Advocates & Attorneys
  5. The OAuth 2.1 Authorization Framework (Internet-Draft) - Internet Engineering Task Force (IETF)
  6. An Agentic Software Framework for Data Governance under DPDP - arXiv
  7. Promotion page

Related pages

Updated At Apr 18, 2026

Building a Consent-Aware API

A business-style technical guide for technical evaluators that covers building a consent-aware api, implementation details, and the controls needed for

 Updated At May 20, 2026

Database Schema Design for Consent Artifacts and Purpose Metadata

A technical guide for Indian engineering leaders on designing database schemas for consent artifacts and purpose metadata under the DPDP Act, RBI Account Aggregator-style consents, and audit-ready consent operations.

 Updated At May 31, 2026

Role-Based Access Meets Purpose-Based Access: Designing Internal Controls

A technical guide for Indian engineering leaders on combining role-based and purpose-based access to enforce DPDP-aligned consent, purpose limitation, and audit-ready logs across apps, data platforms, and third parties.

 Updated At Apr 18, 2026

Reference Architecture: From Consent Banner to Consent Ledger

A business-style technical guide for technical evaluators that covers reference architecture— from consent banner to consent ledger, implementation details, and

 Updated At May 24, 2026

Webhooks for Consent Withdrawal and Downstream Sync

Technical guide for Indian engineering leaders on webhook-based consent withdrawal and downstream sync under the DPDP Act, covering architecture, reliability, security, and auditability.

 Updated At Apr 18, 2026

How to Sync Consent States into Salesforce and HubSpot

A business-style technical guide for technical evaluators that covers how to sync consent states into salesforce and hubspot, implementation details, and the

 Updated At May 18, 2026

Consent Receipts: What to Store, Hash, and Timestamp

Engineering guide for DPDP-ready consent receipts in India: consent record schema, what to store vs hash, critical timestamps, event flows, validation, and auditability.

 Updated At Apr 18, 2026

Consent Logging for Regulated Financial Services

A business-style article for technical evaluators about consent logging for regulated financial services, aimed at regulated finance teams balancing customer

 Updated At May 23, 2026

Co-Lending Consent Chain: From Lead Source to NBFC to Bank

How Indian banks, NBFCs, and fintech LSPs can design an auditable co-lending consent chain from lead source to NBFC to bank under RBI and DPDP requirements.

 Updated At May 20, 2026

Testing DPDP Consent Flows: A QA Checklist

Turn India’s DPDP Act consent rules into testable behaviours. A technical QA checklist, consent state machine, and validation matrix for defensible consent operations.