feat: add consent screen

[lionellbriones]

Motivation and Context

Introduces a consent gate that requires users to accept Terms and Conditions / Privacy Policy before completing the login flow. When consentRequired is enabled in uiConfig (along with tncLink and privacyPolicy URLs), the SDK pauses after wallet connection and prompts the user to accept or decline before proceeding.

Jira Link:
https://consensyssoftware.atlassian.net/browse/EMBED-80

Description

New Connector Status: CONSENT_REQUIRED

• Added CONSENT_REQUIRED to CONNECTOR_STATUS and CONNECTOR_EVENTS constants.
• Defined CAN_LOGOUT_STATUSES to allow logout from the consent-required state.
• Extended ConnectorEvents and Web3AuthNoModalEvents typings with the new event.

Core SDK (no-modal)

• Web3AuthNoModal: Added consentRequired flag, pendingConnectedData, and pendingAuthorizedData fields to buffer connection/authorization data while awaiting user consent.
• connectToConnector: When consent is required, the connected event handler now emits CONSENT_REQUIRED instead of CONNECTED, and buffers the AUTHORIZED event data.
• acceptConsent(): New public method that resumes the login flow — transitions status from CONSENT_REQUIRED to CONNECTED/AUTHORIZED, connects plugins, and emits buffered events.
• logout(): Updated to allow logout from CONSENT_REQUIRED state, clearing any pending data.
• SSR rehydration: Respects consentRequired when restoring status from idToken.

Modal Manager (modal)

• Reads consentRequired, privacyPolicy, and tncLink from uiConfig in the constructor.
• Wires up onAcceptConsent and onDeclineConsent callbacks to LoginModal.
• onAcceptConsent calls acceptConsent(); onDeclineConsent calls logout() and closes the modal.

UI Components (modal UI layer)

• LoginModal: Listens for the CONSENT_REQUIRED connector event and transitions modal to consent status. Exposes consentRequired flag. Forwards accept/decline handlers.
• WidgetContext: Added handleAcceptConsent and handleDeclineConsent to the widget context.
• Root: Passes consent handlers and TnC/privacy links to the Loader. Hides footer links when consent screen is active.
• Loader: New ConsentRequiredStatus sub-component renders the consent UI with accept/decline buttons, TnC link, and privacy policy link. Shown when modalStatus === CONSENT_REQUIRED.

How has this been tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Medium Risk
Changes the core connection state machine and emitted events during login, which can affect existing integrations that rely on connected/authorized timing and logout behavior. UI flow now blocks completion until user action, so regressions could strand users in an intermediate state if misconfigured.

Overview
Adds an optional consent gate to the Web3Auth login flow: when uiConfig.consentRequired is enabled (and privacyPolicy + tncLink are provided), the SDK now pauses after wallet connection and emits a new consent_required status/event instead of immediately finalizing login.

Implements CONSENT_REQUIRED across no-modal and modal: core buffers pending connected/authorized data until acceptConsent() is called (or allows logout() from this state), while the modal UI renders a new consent screen with Accept/Decline actions wired through LoginModal/WidgetContext/Loader and hides footer links during the consent step.

^{Reviewed by Cursor Bugbot for commit 9108c09. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	Apr 6, 2026 9:09am

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8c25b8d. Configure here.}

[cursor]

Consent flow loses accessToken and refreshToken

Medium Severity

When the AUTHORIZED event is buffered during CONSENT_REQUIRED state, only idToken is persisted via setState, omitting accessToken and refreshToken. The normal (non-consent) flow persists all three. Additionally, acceptConsent() emits the buffered AUTHORIZED event but never calls setState to persist these missing tokens, so they are permanently lost.

Additional Locations (1)

• packages/no-modal/src/noModal.ts#L504-L508

 

^{Reviewed by Cursor Bugbot for commit 8c25b8d. Configure here.}