Consents
Before retrieving information for an identifier, you must provide proof that the data owner authorized access to their information.
For the request and response schemas, see the Create Consent API reference.
Why consent is required
Our data partners only authorize access when we can prove the data owner explicitly agreed to share their information. Without a valid consent, the verification is rejected.
Capturing consent properly delivers:
- Legal and regulatory compliance (LFPDPPP and partner contracts)
- Transparency in data usage
- Protection of user rights
- Continued access to data sources
Consent must be informed, specific, and documented. The user must understand what data is being accessed, why, and actively agree to it.
What you provide
The same three fields apply to every consent, whether the identifier is an individual CURP or a business RFC:
identifier— CURP for individuals (18 chars) or RFC for businesses (12 chars).privacy_notice_url— Link to the privacy notice your user accepted. The notice must explicitly identify income-related data as a category of personal data collected.ip_address— Valid IPv4 or IPv6 address at the time consent was granted (e.g.,192.168.2.74or2001:db8::1). Can be the user's IP or a server-side proxy IP.
The
ip_addresshelps demonstrate that consent was collected transparently and with traceability. The field must be a valid IPv4 or IPv6 address. If you cannot capture the user's IP, submit a proxy IP such as your server's IP. We strongly encourage collecting the actual user's IP when possible for compliance purposes.
These fields let us demonstrate, on request, what terms were accepted, when, and from where.
Example
{
"identifier": "CUAI911021MOCRQS09",
"ip_address": "192.168.2.74",
"privacy_notice_url": "https://yourdomain.com/privacy"
}For a business, swap the CURP for the 12-char RFC; the rest of the payload is identical:
{
"identifier": "MNT850612KR4",
"ip_address": "192.168.2.74",
"privacy_notice_url": "https://palenca.com/privacy"
}Data dictionary
The full consent record. The first three fields are sent on POST /consents; the rest are returned by the API.
| Field Name | Type | Required | Description | Example |
|---|---|---|---|---|
identifier | string | Yes | 18-char CURP (individual) or 12-char RFC (business). | "CUAI911021MOCRQS09" |
ip_address | string | Yes | IPv4 or IPv6 address at the time consent was granted. | "192.168.2.74" |
privacy_notice_url | string (URI) | Yes | URL of the privacy notice accepted by the user. | "https://palenca.com/privacy" |
id | string (UUID) | — | Unique consent identifier. You don't need to store it; the API resolves the right consent automatically on the next verification for the same identifier. | "01993593-23bf-7447-a3c5-bbe3211fc3f8" |
created_at | string (ISO 8601) | — | When the consent was created. | "2025-09-10T21:40:59.455261Z" |
expires_at | string (ISO 8601) | — | When the consent expires. Consents are valid for 365 days from creation. | "2026-09-11T03:40:59.454660Z" |
Reuse and expiration
Once created, a consent:
- Can be reused for any number of verifications on the same identifier
- Expires 365 days after creation
You only create a consent once per identifier per year. The next verification for that identifier auto-resolves to this consent.
Updated 7 days ago