Authorization and Consent Management

Information about the user experience of the consent flow and how users can manage permissions

In Epic Account Services, third-party applications require the user to provide consent for data access permissions before they can either authenticate the user or gain access to their data. This section describes the user experience for consent and authentication flow.

Brand Verification and Consent

When new applications are created for Epic Account Services, they must be verified through the Brand Application Review process. Applications that have not been verified are only available to users within your organization. Users outside your organization attempting to access your application will receive a warning that access to the application is restricted, and they will be unable to use it.

Audience Restriction Dialog

Users within your organization will receive a warning that the application is unverified, but will have the option to continue to the application. This enables your organization to iterate on the product during development.

Unverified Application Dialog

If the user clicks Continue to App, the consent dialog will also display a red banner stating that the application is unverified.

Click to enlarge image.

When the application passes a Brand Application Review, the audience restriction preventing outside users from seeing your application is removed. Additionally, the unverified application warning and the banner in the consent dialog will be removed, and users will proceed directly to the consent dialog.

Click to enlarge image.

The double-layered warning for unverified applications ensures that users understand the risks of giving unverified apps permission to access their data.

Requesting User Consent

The consent dialog for an Epic Account Services application is an agreement asking the user to review information about the permissions that your application is requesting, and either provide their approval or deny their consent. It consists of the following information:

Consent Dialog

  1. Application Name: The friendly name of your application as it will appear on the user's device.

  2. Brand Logo: A 128x128 icon representing your application.

  3. Requested Permissions: The specific types of data access permissions that you are asking the user to consent to in this dialog.

  4. Privacy Policy: A URL link where users can review your privacy policy.

  5. Display Name: A field showing the display name that the user is logged in under.

If the user clicks Allow, they agree to let the application access their data per the permissions specified. The application can then proceed as normal. If the user clicks Deny, they do not allow the application to access their data. Users must consent to this dialog in order to use the application.

Reviewing and Revoking Consent

Users can always review and revoke consent they have given to various applications at

Click to enlarge image.

This page will display all apps that the user has given data access permissions to and enable them to review the information from the consent dialog. They can click Revoke Access at any time to remove the application's permissions. If the user attempts to access the application again, they will be required to go through the consent dialog again.

Developers are required by the Service Addendum for Epic Account Services to securely delete all of a user's account data upon the user's request, or upon notification from Epic that a user has requested deletion of their data.

Epic is currently working on an automated solution for providing notification when a user deletes their account or otherwise revokes consent.