When consent is necessary, you must define a redirectURL in the mutation. This will be used to redirect the user once they have confirmed, refused, or withdrawn consent. The API will respond with a consent object containing a consentURL. Redirecting the user to this URL will trigger a text message on the user's smartphone or an in-app notification and then display a standby screen with your branding/logo. Usually, this object will be a specific status in statusInfo, for example CardConsentPendingStatusInfo.
For security reasons, the standby screen must be displayed in fullscreen mode. If you are integrating Swan into a mobile app, you must open it with a SafariViewController (iOS) or Custom Chrome Tab (Android). Using an in-application browser allows for browser-based authentication, such as shared authentication states and security contexts, without disrupting the UX by requiring the user to switch applications. Check out this compliant implementation:
Consent must be confirmed within 20 minutes after the first request to the consentUrl. After this timeout, the consent is expired. The standby screen is no longer displayed on Swan and the user is redirected to you via the redirectURL. The expiredAt property inside the consent object is updated with the expiry date.
During the consent process, the standby screen gives the user the option to cancel. In this case, the consent is no longer displayed on the smartphone and the user is redirected to you via the redirectURL.
After a successful consent on a smartphone, the sensitive operation which initiated authentication is finalized and the user is redirected to you via the redirectURL.
During redirection we add these query parameters to the URL:
  • consentId: the id of the consent
  • env: the environment. Either Sandbox or Live
  • status: Accepted ,CustomerRefused, CredentialRefused, Expired, Failed or Canceled
  • resourceId: id of the resource impacted by the consent (if only one resource is impacted). If many resources are impacted, this query param is not returned.
We recommend you use status only for displaying information. You should always check if a consent was accepted before updating your database or starting a new process.
As long as the user has not yet given their consent, you can still cancel the consent request by calling the cancelConsent mutation.
On desktop or for a 3DS transaction, users are redirected to a mobile flow either by clicking on a link in an SMS sent by Swan, or they're redirected by you. It depends on your configuration.
The consent process when you let Swan send an SMS to your user:
Consent workflow from computer
The consent process when you choose to receive notifications, so you can then push your own notifications to the user:
Consent workflow from computer
On mobile, there is no specific configuration required, you just need to display the redirectURL. Here is the sequence:
Consent workflow from smartphone