Public API

Returns the full banner DTO: config, translations, categories, geo rules and exclusion lists. CORS is permissive (*); responses are cached at the edge for 60s with a 300s s-maxage.

Ingests a consent event from the loader. Validates the payload with Zod, resolves country from edge geo headers, hashes the IP with a per-website pepper, and inserts into consent_events. Never stores raw IPs.

Returns the latest declaration as JSON, HTML or Markdown depending on the ?format= query. Use this to embed the declaration on the customer's cookie policy page.

Auth'd CSV export of daily consent stats. RLS-scoped to the caller's tenant.