BIO.RE
User

Get Consent History

List the user's last 100 consent decisions in reverse-chronological order. Useful for "your consent history" UIs and compliance exports.

GET /api/v1/users/consent — 🔑 Bearer

Returns up to 100 most recent ConsentRecord rows for the calling user, ordered by createdAt DESC. Each row exposes the document type / version, whether it was accepted or declined, and the timestamp. The IP / user-agent metadata is not returned to the client (kept server-side for compliance audit only).

Capped at 100 rows — sufficient for the typical "your consent history" UI. For full audit exports across longer time spans, use the GDPR data-export pipeline (POST /gdpr/export) which includes the full table.

Request

No body, no params.

HeaderRequiredNotes
Authorization: Bearer <accessToken>JWT from POST /auth/login

Response

200 OKArrayApiResponseOf<ConsentHistoryItemDto>

{
  "success": true,
  "data": [
    {
      "documentType": "tos",
      "documentVersion": "2.1",
      "accepted": true,
      "createdAt": "2026-04-29T20:00:00.000Z"
    },
    {
      "documentType": "privacy",
      "documentVersion": "1.4",
      "accepted": true,
      "createdAt": "2026-04-29T20:00:00.000Z"
    },
    {
      "documentType": "marketing-emails",
      "documentVersion": "1.0",
      "accepted": false,
      "createdAt": "2026-04-29T20:00:00.000Z"
    }
  ]
}

Item fields

FieldTypeNotes
documentTypestringThe key recorded by the original POST /users/consent (e.g. tos, privacy, cookies)
documentVersionstringThe version recorded with the consent
acceptedbooleantrue for opt-in, false for explicit decline
createdAtstring (ISO 8601)Server-side timestamp of when the consent was recorded

Errors

HTTPcode / i18nKeyReason
401(guard)Missing / invalid bearer token

Side effects

  1. prisma.consentRecord.findMany({ where: { userId }, orderBy: { createdAt: 'desc' }, take: 100, select: { documentType, documentVersion, accepted, createdAt } }).
  2. Return the array. No mutations.
  3. ipAddress and userAgent are intentionally excluded from the select — they are stored server-side for compliance audit and are never exposed in this read.

Code samples

curl https://api.bio.re/api/v1/users/consent \
  -H "Authorization: Bearer $ACCESS_TOKEN"
type ConsentHistoryItem = {
  documentType: string;
  documentVersion: string;
  accepted: boolean;
  createdAt: string;
};

async function getConsentHistory(accessToken: string): Promise<ConsentHistoryItem[]> {
  const res = await fetch('https://api.bio.re/api/v1/users/consent', {
    headers: { Authorization: `Bearer ${accessToken}` },
  });
  const json = await res.json();
  if (!res.ok || !json.success) {
    throw Object.assign(new Error(json?.error?.message ?? 'Consent history fetch failed'), {
      code: json?.error?.code,
    });
  }
  return json.data;
}
import { useQuery } from '@tanstack/react-query';

export const userKeys = {
  consent: () => ['users', 'consent'] as const,
};

export function useConsentHistory() {
  return useQuery({
    queryKey: userKeys.consent(),
    queryFn: async () => {
      const res = await fetch('/api/v1/users/consent');
      const json = await res.json();
      if (!res.ok || !json.success) {
        throw Object.assign(new Error(json?.error?.message ?? 'Consent history fetch failed'), {
          code: json?.error?.code,
          i18nKey: json?.error?.i18nKey,
        });
      }
      return json.data as ConsentHistoryItem[];
    },
    staleTime: 60_000, // History changes only when user actively records new consent
  });
}

Try it

GET
/api/v1/users/consent

Authorization

bearer
AuthorizationBearer <token>

In: header

Response Body

application/json

application/json

curl -X GET "https://loading/api/v1/users/consent"
{
  "success": true,
  "data": [
    {
      "documentType": "tos",
      "documentVersion": "2.1",
      "accepted": true,
      "createdAt": "2019-08-24T14:15:22Z"
    }
  ]
}
{
  "success": false,
  "error": {
    "code": "AUTH_UNAUTHORIZED",
    "message": "Invalid credentials",
    "i18nKey": "auth.login.invalid_credentials",
    "i18nVars": {
      "field": "email"
    },
    "details": [
      {
        "message": "email must be an email"
      }
    ],
    "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}

Source

SourcePathLines
Controllerapps/api-core/src/modules/user/user.controller.ts263–269 (getConsentHistory)
DTO (response item)apps/api-core/src/modules/user/dto/user-client-response.dto.ts189–201 (ConsentHistoryItemDto)
Serviceapps/api-core/src/modules/user/user.service.ts739–751 (getConsentHistory)
Prisma modelpackages/prisma/prisma/schema.prismaConsentRecord

Record Consent

Append-only log of user consent decisions (TOS, privacy, cookies, etc). Captures IP and user-agent for compliance audit.

Block a User

Add a target user to the caller's block list. Self-block is rejected; double-block is a 409. Audit-logged for moderation review.

On this page

RequestResponse200 OKArrayApiResponseOf<ConsentHistoryItemDto>Item fieldsErrorsSide effectsCode samplesTry itSource