Consent proof
The GDPR puts the burden of proof on you: when a visitor consented, you must be able to show it. A consent proof is a PDF receipt for one visitor's consent record, signed to make tampering detectable. It is the document you hand to an auditor or attach to a DSAR response.
What the PDF contains
| Section | Detail |
|---|---|
| Receipt ID | The receipt identifier, or the first 16 characters of the record's SHA-256 hash |
| Domain and visitor | The domain and the visitor's ID |
| Dates | Consent date and expiry date |
| Action | Accept all, reject all, custom selection, GPC auto-applied, or dismissed |
| Categories | A table of necessary, functional, analytics, advertising and performance |
| Context | Banner mode, page URL, country, language, GPC status, masked IP address |
| Framework strings | TCF, Google AC and GPP strings where present |
| Signature | An HMAC-SHA256 digital signature for tamper detection |
Browser and device details are not in the PDF. The IP address appears only in masked form.
Generate one from the dashboard
Open consent logs, find the visitor's record, and use the PDF link on that row. The dashboard version supports a language parameter to produce the receipt in English or Serbian. There is also a public receipt link tied to the record's receipt ID.
Generate one over the API
On Business and Custom plans the REST API has a consent proof endpoint that returns the same signed PDF for a visitor ID:
GET /api/v1/consent-proof/:visitorId
curl -H "X-Api-Key: YOUR_API_SECRET" \
-o consent-proof.pdf \
"https://api.optsens.com/api/v1/consent-proof/a1b2c3d4-e5f6-7890-abcd-ef1234567890"
The endpoint is rate limited per domain. See the REST API reference for the full request and response detail.
How the signature helps
The PDF carries an HMAC-SHA256 signature computed over the core record fields, the visitor, domain, date, categories and action, with a key only the OptSens servers hold. A forged or altered document cannot carry a matching signature, which makes the PDF usable as evidence rather than a plain printout.
Verify a receipt
Anyone holding a proof PDF can check it against the stored record. Send the receipt ID and the signature printed on the document:
curl -X POST "https://api.optsens.com/api/consent/verify-proof" \
-H "Content-Type: application/json" \
-d '{"receipt_id": "RECEIPT_ID_FROM_THE_PDF", "signature": "SIGNATURE_FROM_THE_PDF"}'
The response reads {"valid": true, "scheme": "HMAC-SHA256"} for an
authentic receipt. A scheme of SHA-256 marks a receipt issued before
the signing key existed. The endpoint needs no API key and is rate
limited.
When to use it
- Responding to a regulator asking how a visitor consented.
- Answering an access request as part of a DSAR.
- Keeping a point-in-time record alongside your own files.
For the underlying data and bulk export, see consent records.