Abstract - The Digital Personal Data Protection Act 2023 and the Digital Personal Data Protection Rules 2025 oblige every Data Fiduciary to capture verifiable consent from the Data Principal, and where the Principal is a child or a person with disability, from an authority the statute recognises as lawful. Rule 11 of the DPDP Rules names three such authorities, namely a court of law, a designated authority under section 15 of the Rights of Persons with Disabilities Act 2016 (RPwD), and a local level committee constituted under the National Trust for Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (National Trust Act). Schedule IV adds five scope restricted Data Fiduciary classes and five exempt purposes, each riding on its own source of authority. This article argues that the workable Consent Manager under the DPDPA is not a repository of consent receipts but a typed authority graph whose edges are bounded in time. Put simply, a consent manager is more than static space for consent collection, instead it is a dynamic network map of permissions. Where node/dots is a representation of entities such as data principal, natural persons acting on behalf of the data principal, data fiduciary, data processor, authorities like DigiLocker, Court, local committee, etc. And, edge is a representation of the signed permissions that connect one node/dot to another. These arrows are labelled with purpose and time-bounded. Lastly, a token is a small piece of signed data issues by an authority that certifies the existence of an edge-relations, thus forming the issuance layer. The graph portrays the consent map through which the consent manager can walk through. The graph is also what makes the revocation cascade possible. When an edge dies, the graph can traverse outward along the processes-for and derived-from edges and tell every downstream node to stop. That traversal is only possible because all the nodes and edges live inside one connected structure.