Consent Model

Consent Model

How Trusteed obtains, records, scopes, and revokes consent across users, agents, and merchants.

Consent grants overview

Three independent consent flows operate in parallel. Each grants narrow capability and is independently revocable.

User → Agent (OAuth): User authorizes an agent application to act on their behalf with specific scopes (mcp:read, mcp:write, mcp:checkout).
User → Merchant (MCAP grant): User signs a Mastercard Agent Pay consent grant authorizing a payment instrument to be charged within scope (amount cap, merchant, expiry).
User → Network (ACP order): User authorizes a single Agent Commerce Protocol order. Authorization expires when the order settles or is cancelled.

OAuth 2.1 scope flow

All agent authorization runs on OAuth 2.1 Authorization Code with PKCE S256. Tokens are bound to the resource server via RFC 8707 audience.

Authorization endpoint: https://auth.trusteed.xyz/authorize
Token endpoint: https://auth.trusteed.xyz/oauth/token
Audience binding (RFC 8707): Tokens are valid only for resource = https://api.trusteed.xyz
Access token TTL: 1 hour
Refresh token TTL: 30 days, rotated on each use
Revocation endpoint: https://auth.trusteed.xyz/oauth/revoke

MCAP consent grants

Mastercard Agent Pay grants are signed Ed25519 by the issuer and stored in the database. They authorize specific spend within bounded conditions.

Lifecycle: create → active → revoked (or expired)
Scope: amount cap, merchant, valid_until timestamp
Signature algorithm: Ed25519 (issuer key, rotatable)
Revocation propagation: X-MCAP-Token-Version header bumped on every grant change; clients must respect it
Audit trail: All state transitions logged with actor, reason, timestamp

Data retention

PII (email, name): Retained while account active. Right-to-deletion supported (GDPR Article 17).
Order history: 7 years (tax/legal obligation)
Audit logs: 90 days hot storage, 7 years cold archive
Session tokens: Forgotten on revocation
Consent grants: Stored signed; revoked grants kept for audit

User rights (GDPR / CCPA)

Users may exercise the following rights at any time. Requests are honored within 30 days.

Access (export): Request a portable JSON export of all your data.
Rectification: Correct inaccurate data.
Deletion (right to be forgotten): Erase all data not under legal retention obligation.
Portability: Receive data in a machine-readable format.
Object: Object to specific processing (analytics, profiling).

Revocation flows

User revokes app: auth.trusteed.xyz/u/applications → token invalidated immediately
Merchant revokes consent: /dashboard/[stores]/[slug]/agents → MCAP grant revoked
Admin emergency revoke: Operator dashboard → kill-switch on grant or session

Consent grant lifecycle

┌──────────┐        ┌──────────┐        ┌──────────┐
│  Issued  │ ─use─► │  Active  │ ─revoke►│ Revoked  │
└──────────┘        └────┬─────┘        └──────────┘
                         │
                      expires
                         ▼
                    ┌──────────┐
                    │ Expired  │
                    └──────────┘