2 min read
Step 1 — validate at your edge
Your server is the trust boundary. Validate the visitor’s banner interaction first — the endpoint accepts the forwarded snapshot without a CSRF check precisely because your edge already did that check.
Step 2 — forward the snapshot
curl -sS -X POST https://hub.credicorp.co.uk/public/v1/consent \
-H 'Content-Type: application/json' \
-d '{"analytics":true,"marketing":false}'
Step 3 — it is appended, not replaced
Every snapshot is appended to the PECR audit trail. A change of mind is a new record on top, not an edit — so the history is complete and tamper-evident.
Do not confuse it with application consent
This endpoint is for cookie consent only. Credit-application consent (agreeing to a search, to terms) is a separate store and must never be sent here. See the reference.
Frequently asked questions
Should the browser call the consent endpoint directly?
No. Forward it from a trusted server-side client that has already validated the banner interaction. Your edge is the CSRF/origin trust boundary.
Can I overwrite a previous consent record?
No. The store is append-only for PECR integrity. Record a new snapshot on top; the old one stays for the audit trail.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.