Withdrawal is operator-recorded on behalf of the candidate. Paste the legal-tier audit token + your name.
The candidate has requested withdrawal of biometric consent. This action sets a 30-day SLA clock for destruction (per consent template v1 §2). The retention sweep + erase runbook handle actual destruction; this endpoint records intent + starts the clock.
consent.biometric.status = Withdrawn, accelerates retention_until from the 18-month default to 30 days from now. Future photo uploads will be refused (403). General-PII consent is NOT touched — the candidate can keep their non-biometric data on the platform.
Audit chain row appended; retention sweep will pick it up at the SLA.
The retention sweep flags this subject as overdue once retention_until passes. An operator with legal-tier credentials runs the destruction runbook (POST /biometric/subject/<id>/erase) within the 30-day SLA.
To verify the withdrawal landed cleanly: