Widget Endpoints
Public API endpoints called by the embedded consent widget.
These endpoints are called by the widget running on customer websites. They require no authentication and support CORS from any origin.
Get Widget Configuration
GET /api/consent/config/:siteId| Parameter | Type | Location | Description |
|---|---|---|---|
siteId | UUID | Path | The site identifier |
200 OK
{
"siteId": "550e8400-e29b-41d4-a716-446655440000",
"siteName": "My Website",
"config": {
"layout": { "position": "bottom-right", "mode": "bar" },
"colors": { "theme": "auto", "accent": "#3b82f6" },
"content": { "privacyPolicyUrl": "https://example.com/privacy" },
"buttons": { "acceptAll": "Accept", "rejectAll": "Reject" }
},
"categories": [
{
"key": "necessary",
"name": "Necessary",
"description": "Essential cookies required for the website to function.",
"required": true,
"default": true
},
{
"key": "analytics",
"name": "Analytics",
"description": "Help us understand how visitors interact with our website.",
"required": false,
"default": false
}
]
}The config object is a free-form JSONB blob written by the dashboard customizer. Its shape is defined by the configuration UI and consumed by the widget - it may contain layout, colors, content, buttons, categories, and advanced sub-objects. See apps/web/src/lib/customizer-store.ts for the full type definitions.
Errors: 400 Invalid UUID, 403 Site not active or origin not allowed, 404 Site not found
Record Consent Event
POST /api/consent/eventsRequest Body
{
"siteId": "550e8400-e29b-41d4-a716-446655440000",
"action": "accept_all",
"categories": {
"necessary": true,
"analytics": true,
"marketing": false
},
"visitorHash": "anon_7f3a9b2c4d5e"
}| Field | Type | Required | Description |
|---|---|---|---|
siteId | UUID | Yes | The site identifier |
action | string | Yes | accept_all, reject_all, or customize |
categories | object | No | Map of category keys to boolean consent values |
visitorHash | string | Yes | Anonymous visitor identifier |
200 OK
{
"success": true,
"consentId": "generated-uuid"
}Errors: 400 Invalid JSON / missing fields / invalid action / invalid UUID, 403 Site not active, 404 Site not found