feat: add consent screen

[lionellbriones]

Motivation and Context

Introduces a consent gate that requires users to accept Terms and Conditions / Privacy Policy before completing the login flow. When consentRequired is enabled in uiConfig (along with tncLink and privacyPolicy URLs), the SDK pauses after wallet connection and prompts the user to accept or decline before proceeding.

Jira Link:
https://consensyssoftware.atlassian.net/browse/EMBED-80

Description

New Connector Status: CONSENT_REQUIRED

• Added CONSENT_REQUIRED to CONNECTOR_STATUS and CONNECTOR_EVENTS constants.
• Defined CAN_LOGOUT_STATUSES to allow logout from the consent-required state.
• Extended ConnectorEvents and Web3AuthNoModalEvents typings with the new event.

Core SDK (no-modal)

• Web3AuthNoModal: Added consentRequired flag, pendingConnectedData, and pendingAuthorizedData fields to buffer connection/authorization data while awaiting user consent.
• connectToConnector: When consent is required, the connected event handler now emits CONSENT_REQUIRED instead of CONNECTED, and buffers the AUTHORIZED event data.
• acceptConsent(): New public method that resumes the login flow — transitions status from CONSENT_REQUIRED to CONNECTED/AUTHORIZED, connects plugins, and emits buffered events.
• logout(): Updated to allow logout from CONSENT_REQUIRED state, clearing any pending data.
• SSR rehydration: Respects consentRequired when restoring status from idToken.

Modal Manager (modal)

• Reads consentRequired, privacyPolicy, and tncLink from uiConfig in the constructor.
• Wires up onAcceptConsent and onDeclineConsent callbacks to LoginModal.
• onAcceptConsent calls acceptConsent(); onDeclineConsent calls logout() and closes the modal.

UI Components (modal UI layer)

• LoginModal: Listens for the CONSENT_REQUIRED connector event and transitions modal to consent status. Exposes consentRequired flag. Forwards accept/decline handlers.
• WidgetContext: Added handleAcceptConsent and handleDeclineConsent to the widget context.
• Root: Passes consent handlers and TnC/privacy links to the Loader. Hides footer links when consent screen is active.
• Loader: New ConsentRequiredStatus sub-component renders the consent UI with accept/decline buttons, TnC link, and privacy policy link. Shown when modalStatus === CONSENT_REQUIRED.

How has this been tested?

Screenshots (if appropriate):

Login flow

Screen.Recording.2026-04-13.at.5.17.32.PM.mov

Consent screen

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Medium Risk
Adds a new intermediate CONSENT_REQUIRED state/event to the core connection lifecycle and changes when connected/authorized are emitted, which could affect integrators that rely on existing event ordering and status semantics.

Overview
Adds an optional consent gate that pauses the login flow after connection and requires users to accept Terms/Privacy before completing. This introduces a new CONSENT_REQUIRED connector status plus CONSENT_REQUIRED/CONSENT_ACCEPTED events, and a new acceptConsent() API in @web3auth/no-modal (with logout() now allowed from the consent state and connection events flagged via pendingUserConsent).

Updates @web3auth/modal to surface the consent UI: LoginModal transitions to a new CONSENT_REQUIRED modal status, Loader renders an accept/decline screen, and modalManager wires accept/decline callbacks (accept resumes via acceptConsent(), decline logs out and closes the modal). React/Vue providers also listen for CONSENT_ACCEPTED to update connection state.

Bumps @web3auth/auth to 11.6.0 across the monorepo, demos, and lockfile.

^{Reviewed by Cursor Bugbot for commit 9006216. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	Apr 14, 2026 3:07am

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9006216. Configure here.}

[cursor]

Footer links hidden on all screens when consent enabled

Medium Severity

When consentRequired is true, the !consentRequired condition is always false, causing privacyPolicy and tncLink to be undefined on every screen — including the initial login page, connecting screen, and success screen — not just the consent screen. The intent is to hide footer links only when the consent screen is active (where the links appear inline), but the condition short-circuits due to !consentRequired. The status check modalState.status !== MODAL_STATUS.CONSENT_REQUIRED alone would achieve the desired behavior.

 

^{Reviewed by Cursor Bugbot for commit 9006216. Configure here.}

[lionellbriones]

This is intended. we only show privacy and terms links in the footer if consent required is false.