API reference

POST /public/v1/consent

POST /public/v1/consent records a cookie-consent snapshot under PECR §6 / GDPR recital 47. It captures a visitor’s analytics and marketing cookie choices when they interact with the cookie banner. This is cookie consent, not credit-application consent — the two are stored separately and must not be conflated.

2 min read

PECRCookie-consent audit trail
appendRecords are append-only
edgeCalled by the marketing server, not the browser

What it does

This endpoint sits on the public /public/v1 ring — unauthenticated, anonymous and open to any caller. There is no API key and no OAuth token on this ring; the trust boundary is enforced by rate limiting, strict input validation and a server-fixed response shape rather than by a credential.

When a visitor makes a choice in the cookie banner, the marketing site’s server-side client forwards that choice here. The record is appended to a PECR audit trail — consent snapshots are never mutated or deleted, only added, so the estate can always reconstruct exactly what a visitor agreed to and when.

Because the caller is the marketing edge (not the browser directly), the hub accepts the submission without a CSRF check here — the marketing edge is the trust boundary that validates the visitor’s own consent form before forwarding.

There are two unrelated consent systems in the platform. This endpoint handles cookie consent — the analytics/marketing choices in the banner. Credit-application consent (agreeing to a credit search, to terms, to a facility) lives in an entirely separate application-consents store and is never written here. If you are integrating an application flow, do not send it to this endpoint.

Rate limiting

The public ring is rate limited to 60 requests per 60 seconds per IP as a fixed window. When you exceed it the API returns 429 Too Many Requests with a Retry-After header giving the number of seconds until the window resets. See Rate limits and 429 for the retry pattern, and Errors and status codes for the envelope.

Frequently asked questions

Should my browser JavaScript call this directly?

No. It is designed to be called by a trusted server-side client (the marketing edge), which validates the visitor’s banner interaction first. The edge is the CSRF/origin trust boundary; calling it straight from the browser bypasses that.

Can I delete or overwrite a consent record?

No. The store is append-only for PECR audit integrity. A change of mind is a new snapshot appended on top, not an edit of the old one.

Is this the same consent as agreeing to a loan?

No. This is cookie consent under PECR. Credit-application consent is recorded separately in the application-consents store and never touches this endpoint.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.