feat: add consent screen

[lionellbriones]

Motivation and Context

Introduces a consent gate that requires users to accept Terms and Conditions / Privacy Policy before completing the login flow. When consentRequired is enabled in uiConfig (along with tncLink and privacyPolicy URLs), the SDK pauses after wallet connection and prompts the user to accept or decline before proceeding.

Jira Link:
https://consensyssoftware.atlassian.net/browse/EMBED-80

Description

New Connector Status: CONSENT_REQUIRED

• Added CONSENT_REQUIRED to CONNECTOR_STATUS and CONNECTOR_EVENTS constants.
• Defined CAN_LOGOUT_STATUSES to allow logout from the consent-required state.
• Extended ConnectorEvents and Web3AuthNoModalEvents typings with the new event.

Core SDK (no-modal)

• Web3AuthNoModal: Added consentRequired flag, pendingConnectedData, and pendingAuthorizedData fields to buffer connection/authorization data while awaiting user consent.
• connectToConnector: When consent is required, the connected event handler now emits CONSENT_REQUIRED instead of CONNECTED, and buffers the AUTHORIZED event data.
• acceptConsent(): New public method that resumes the login flow — transitions status from CONSENT_REQUIRED to CONNECTED/AUTHORIZED, connects plugins, and emits buffered events.
• logout(): Updated to allow logout from CONSENT_REQUIRED state, clearing any pending data.
• SSR rehydration: Respects consentRequired when restoring status from idToken.

Modal Manager (modal)

• Reads consentRequired, privacyPolicy, and tncLink from uiConfig in the constructor.
• Wires up onAcceptConsent and onDeclineConsent callbacks to LoginModal.
• onAcceptConsent calls acceptConsent(); onDeclineConsent calls logout() and closes the modal.

UI Components (modal UI layer)

• LoginModal: Listens for the CONSENT_REQUIRED connector event and transitions modal to consent status. Exposes consentRequired flag. Forwards accept/decline handlers.
• WidgetContext: Added handleAcceptConsent and handleDeclineConsent to the widget context.
• Root: Passes consent handlers and TnC/privacy links to the Loader. Hides footer links when consent screen is active.
• Loader: New ConsentRequiredStatus sub-component renders the consent UI with accept/decline buttons, TnC link, and privacy policy link. Shown when modalStatus === CONSENT_REQUIRED.

How has this been tested?

Screenshots (if appropriate):

Login flow

Screen.Recording.2026-04-13.at.5.17.32.PM.mov

Consent screen

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Medium Risk
Touches core connection state transitions and event sequencing in authentication flows, so regressions could impact login completion or UI state in edge cases (SSR, reconnect, connect-only vs connect-and-sign).

Overview
Adds an optional consent gate to the Web3Auth login flow: when uiConfig.consentConfig.required is enabled, the SDK now pauses post-connection in a new CONSENT_REQUIRING state and only completes CONNECTED/AUTHORIZED after the user accepts (or logs out/aborts on decline).

This threads the new consent lifecycle end-to-end: no-modal introduces CONSENT_REQUIRING/CONSENT_ACCEPTED events, state persistence (hasUserConsent), updated logout eligibility, and context hooks that ignore CONNECTED while pendingUserConsent; modal adds consent UI in the loader, wires accept/decline callbacks through LoginModal/WidgetContext, and updates Web3Auth.connect() resolution logic accordingly (with new tests).

Demo apps are updated to showcase/toggle consent behavior, and @web3auth/auth is bumped to 11.6.0 across demos/packages (plus lockfile churn).

^{Reviewed by Cursor Bugbot for commit b69a9f6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Error		Apr 27, 2026 9:10am

[lionellbriones]

i think consentConfigMode is set only on dashboard. not sure if we should include it on sdk config.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 2373cad. Configure here.}