2 min read
What it does
This endpoint sits on the public /public/v1 ring — unauthenticated, anonymous and open to any caller. There is no API key and no OAuth token on this ring; the trust boundary is enforced by rate limiting, strict input validation and a server-fixed response shape rather than by a credential.
When a visitor makes a choice in the cookie banner, the marketing site’s server-side client forwards that choice here. The record is appended to a PECR audit trail — consent snapshots are never mutated or deleted, only added, so the estate can always reconstruct exactly what a visitor agreed to and when.
Because the caller is the marketing edge (not the browser directly), the hub accepts the submission without a CSRF check here — the marketing edge is the trust boundary that validates the visitor’s own consent form before forwarding.
Do not confuse it with application consent
There are two unrelated consent systems in the platform. This endpoint handles cookie consent — the analytics/marketing choices in the banner. Credit-application consent (agreeing to a credit search, to terms, to a facility) lives in an entirely separate application-consents store and is never written here. If you are integrating an application flow, do not send it to this endpoint.
Rate limiting
The public ring is rate limited to 60 requests per 60 seconds per IP as a fixed window. When you exceed it the API returns 429 Too Many Requests with a Retry-After header giving the number of seconds until the window resets. See Rate limits and 429 for the retry pattern, and Errors and status codes for the envelope.
Frequently asked questions
Should my browser JavaScript call this directly?
No. It is designed to be called by a trusted server-side client (the marketing edge), which validates the visitor’s banner interaction first. The edge is the CSRF/origin trust boundary; calling it straight from the browser bypasses that.
Can I delete or overwrite a consent record?
No. The store is append-only for PECR audit integrity. A change of mind is a new snapshot appended on top, not an edit of the old one.
Is this the same consent as agreeing to a loan?
No. This is cookie consent under PECR. Credit-application consent is recorded separately in the application-consents store and never touches this endpoint.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.
