consent
comms consent auth
Overview
Consent Types
Your Rights
My Consents
Fleet

Consent is the root

Everything flows from it. Authentication, communications, data access, payment processing — every service checks your consent before acting. Your decisions govern the system.

Declined is a clean state, not an error — the system respects refusal

How it works

When you interact with any service on onamerica.org, the system checks your consent configuration before proceeding. Your consent state travels with your identity — no extra steps, no separate lookups. Grant a consent and every service knows immediately. Withdraw it and delivery stops.

Consent States

OFFERED ACCEPTED IN PROGRESS GATE PENDING VERIFIED COMPLETE
DECLINED WITHDRAWN — both are clean states. No penalty. No judgment.

Pairs with Communications

Consent governs what comms.onamerica.org is allowed to send. You control the channels — email, SMS, push notifications. The comms service reads your consent configuration from your identity. If you've declined SMS, no SMS is sent. No exceptions.

13 Consent Types

The same primitive, different contexts. Each type is independently managed per venture.

auth
Consent to authenticate. The 8-digit code exchange. The first gate — everything starts here.
biometric
Consent to provision your device with FaceID, fingerprint, or Windows Hello for instant access.
comms_email
Consent to receive email communications from a venture. Withdraw to stop all email.
comms_sms
Consent to receive SMS and text messages. Your phone number, your choice.
comms_push
Consent to receive push notifications on your device.
data_sharing
Consent to share your profile data between ventures. One identity, connected where you choose.
data_processing
Consent to process your data for a specific purpose. Required by GDPR Article 6.
payment
Consent to payment processing. No charges without your explicit agreement.
location
Consent to use your geolocation. Used for proximity check-in and regional services.
analytics
Consent to anonymized analytics collection. Helps improve services without identifying you.
terms
Consent to terms of service for a specific venture.
marketing
Consent to marketing communications. Separate from transactional email.
soc2_audit
Consent to SOC2 audit trail collection. System activity logged for compliance verification and trust reporting.

Your Data Rights

Built into the infrastructure. Not an afterthought.

Right to Access

Request all data we hold about you in a machine-readable format. One endpoint, complete export.

GET /api/user/export?email=you@email.com

Right to Erasure

Delete your identity and all associated data. Cascade deletion across every table. Irreversible.

DELETE /api/user/erase

Right to Withdraw

Withdraw any consent at any time. The system stops immediately. No penalty.

POST /api/consent/withdraw

Right to Portability

Export your consent records, identity, aliases, sessions, and audit trail as JSON.

GET /api/consent/export/:email

Data Minimization

The auth service stores only core identity: name, email, phone. Venture-specific data stays in venture workers. We hold only what's needed.

Encryption at Rest

All data encrypted at rest. Biometric keys never leave your device. Secrets stored in Cloudflare vault, never in source code.

My Consent Status

Fleet Services

Consent is checked by every service. The consent state travels with your identity.

auth
Identity + consent exchange
checking...
consent
Consent governance
checking...
comms
Communications delivery
checking...
events
Event lifecycle
checking...
profiles
Cross-venture identity
checking...
biometric
WebAuthn ceremonies
checking...

Integration

Any service can check consent with a single field read. When auth-onamerica resolves your identity, it includes your consent grants inline:

{ mhsId: "MHS-00001.A-CAPT", role: "admin", consents: { comms_email: true, analytics: true } }

No extra HTTP call. No extra latency. The consent is the config.

Discovery

Machine-readable specs at every endpoint:

/.well-known/consent-spec.json
/.well-known/fleet-auth.json
/.well-known/comms-spec.json

onamerica.org · consent is the root · everything flows from it