Machine-readable policy
Auto-published at /.well-known/consent.json — agents read it before scripts run.
From a 3 KB edge loader to a signed audit log, each piece is independently best-in-class, and they all snap together. No glue code. No spreadsheet exports. No "enterprise tier to unlock the basics."
Drop in a script. Get a banner, a policy API, a scanner, and an audit log — all wired to the same source of truth.
Auto-published at /.well-known/consent.json — agents read it before scripts run.
Claude Code, Cursor, and custom agents query consent as a tool.
Every decision (human or agent) returns a portable JWT.
Detects trackers + suggests categories on every deploy.
Regional rules apply automatically by visitor IP.
Use our component, our headless API, or your own design.
<3 KB gzipped, served from 280+ PoPs — no CWV hit.
Scripts, iframes, custom rules per consent category.
Every change signed and exportable as a compliance bundle.
Strict types end-to-end. Zod schemas validate webhooks at runtime — no any escape hatches.
Copy-paste install pages for Next.js, Remix, Nuxt, Astro, SvelteKit, WordPress, and GTM.
Banner copy ships translated. Override individual strings or supply your own locale files in plain JSON.
HMAC-SHA256 with timestamp + nonce. Replay window 5 minutes. Verifier snippets for every framework.
Manage hundreds of sites from one workspace. Shared category templates, per-site regional overrides.
Import config exports from Cookiebot, OneTrust, iubenda, and Ketch. Re-validated on first scan.
cl.js
is 2.8 KB gzipped and includes the banner shell, category gate, scanner ping, and policy fetch.
It loads asynchronously, never blocks render, and resolves the category state at the edge so we
don't round-trip to origin for a consent decision.
strategy="beforeInteractive" in Next.js<!-- 1 · Add to <head> --> <script async src="https://cdn.consentlayer.dev/cl.js" data-site="cl_live_a7f3..."></script> <!-- 2 · Optional: react to changes --> window.consentlayer.on('change', (s) => { analytics.toggle(s.analytics); });
_clarity · clarity.ms · new_ga, _gid · google-analytics.com__tld__ · ads.linkedin.com · newcf_clearance · cloudflare.com__stripe_mid · stripe.comTwo scan passes. The loader collects real-browser cookie data passively. A headless crawler hits every URL in your sitemap on deploy and replays the same instrumentation. New trackers surface within minutes — with a suggested category from our trained classifier.
Machine-readable policy at /.well-known/consent.json, an MCP server with two tools, and signed receipts agents can carry. Verified agents from Anthropic, OpenAI, and Perplexity already honor ConsentLayer policies.
.well-known/consent.json, CDN-cached, open specget_policy and record_decisionclaude-3-5-sonnet recorded decision analytics:falseregions.gdpr.default changed by Hana T.operator-build-1.2 fetched policy v17vital-pixel.io for reviewEvery settings change, banner decision, and agent fetch is appended to a Merkle-tree log and signed. Generate a regulator-ready CSV + JWT bundle in one click. SOC 2 receipt format ships in the Growth plan.
Typed end-to-end. Framework-native. Zero-config defaults. Works in your existing stack on the first try.
Every method has strict TypeScript types. Webhook payloads validate at runtime via the same Zod schemas that ship with the SDK. No any escape hatches.
Framework-aware install pages give you the right hydration strategy, the right loader timing, and the right env-var pattern — copy-paste ready.
The SDK ships ESM + CJS, works in Cloudflare Workers, Vercel Edge, Bun, Deno, and Node 18+. No DOM dependencies in the server path.
Every webhook is HMAC-SHA256 signed with a per-site secret and includes a timestamp + nonce. Replay window is 5 minutes by default. Sample verifier in every framework preset.
Have feature questions? Here are the ones we hear most. For billing or plan questions, see the pricing page.
Three options. Use the default banner themed via design tokens (one CSS file). Or use the headless API (cl.onChange) and render anything you want. Or use our pre-built React / Vue / Svelte components that wrap the headless API. All three honor the same policy.
Yes. The loader instruments the browser-side cookie API and observes mutations across route changes. For client-rendered apps, this catches trackers that traditional crawl-only scanners miss. For static or server-rendered pages, the sitemap crawler runs in parallel.
14 languages out of the box: English, German, French, Spanish, Italian, Portuguese (BR & PT), Dutch, Polish, Czech, Swedish, Norwegian, Finnish, Japanese, and Korean. Translation files are plain JSON — bring your own or override individual strings.
Yes, on the Growth plan and above. The TCF string is generated client-side and exposed via the standard __tcfapi. Vendor lists update automatically; you don't need to maintain anything.
Every decision returns a JWT signed by the same key that signs /.well-known/consent.json. The public key is published at /.well-known/consentlayer-keys.json. Receipts can be verified offline by any third party — us, you, your auditor, your regulator.
Settings changes (who, what, when, before/after diff), banner decisions (per session, hashed visitor ID, category state), agent fetches (which policy version, which agent operator), and exports (who downloaded the bundle, with what filter). 730-day retention on Pro, 7-year on Growth.
The SDK works inside Workers and Vercel Edge today — the loader resolves consent state and forwards decisions. The full control plane runs on our edge for now. Self-hosting the policy server is on the Enterprise roadmap (Q3 2026).
We use Cloudflare's request-level country code, which arrives as a header and never leaves the edge. No IP is stored, no third-party geo provider, no client-side fingerprinting. The regional rule resolves before any tracker can run.
Join the engineering teams using ConsentLayer to gate scripts, audit decisions, and stay compliant — across humans, agents, and every region.