ConsentLayer
Get Started
Agentic Consent management solution

Make any website compliant with one prompt

Tell Cursor, Claude Code, Codex, Replit, or Lovable to add ConsentLayer — our MCP runs the install. Prefer manual? Drop one <script> tag in your <head>. Either way, GDPR / CCPA / LGPD ready in seconds.

Get Started Now — it’s FREE
No credit card required Install in seconds GDPR / CCPA / LGPD ready
cursor · /northwind-app MCP 
> add ConsentLayer to my site

→ calling consentlayer.install
 snippet added to app/layout.tsx
 banner configured · GDPR + CCPA
 policy at /.well-known/consent.json
 MCP endpoint live · receipts signed

 done in 9.2s · open dashboard
northwind.app
LIVE
We value your privacy
We use cookies and similar technologies to measure traffic, personalise content, and support advertising.
MCP-native — install from any AI coding agent below
Cursor, Claude, Codex, Replit, Lovable
The platform

Everything you need to ship compliant consent.

Drop in a script. Get a banner, a policy API, a scanner, and an audit log, all wired to the same source of truth.

Policy file

Every site publishes a signed, machine-readable consent policy at /.well-known/consent.json.

  • Versioned and cached at the edge
  • Human and agent readable
  • Cryptographically signed
northwind.app/.well-known/consent.json 
{
  "version": "1.0",
  "site": "northwind.app",
  "regions": ["EU", "US-CA", "BR"],
  "categories": {
    "necessary": true,
    "analytics": false,
    "marketing": false
  },
  "mcp": "https://northwind.app/mcp/consent",
  "signed_by": "cl_live_a7f3…2b91"
}
MCP server

One prompt. Your agent does the rest. Any MCP-aware coding agent installs ConsentLayer, configures the banner, and wires the policy end to end.

Consent UI

A banner that meets every regulation, branded to your site.

Scanner

Every deploy is scanned. New trackers arrive as a queue.

Audit ledger

Every decision is signed and exportable for any regulator.

Edge loader

Under 3 KB, served from 280+ PoPs. Zero Core Web Vitals impact.

Regions

GDPR, CCPA, LGPD applied by IP. Right rules, every visitor.

Get started See all features
In motion

See it in action.

From the install prompt to the audit log — pick a tab to see how the moving parts fit together.

One prompt. ConsentLayer installs itself.

Tell Cursor, Claude Code, Codex, Replit, or Lovable to add ConsentLayer. Our MCP server runs the install — snippet, banner, policy, audit endpoint — in under 10 seconds.

  • Works in any MCP-aware coding agent
  • No copy-paste, no framework guessing
  • Same prompt for every site you own
cursor · /northwind-app MCP 
> add ConsentLayer to my site

→ calling consentlayer.install
 snippet added to app/layout.tsx
 banner configured · GDPR + CCPA
 policy at /.well-known/consent.json
 MCP endpoint live · receipts signed

 done in 9.2s · open dashboard

One <script async> tag in your <head>.

Framework presets for Next, Vue, WordPress, and GTM. The loader is sub-3 KB and serves from the edge, so there’s no impact on Core Web Vitals.

  • Auto-detects framework on first install
  • TypeScript types ship with the SDK
  • Runs before any third-party script
app/layout.tsx · Next.js (App Router) 
// One tag. Every framework.
import type { Metadata } from 'next';

export default function RootLayout({ children }) {
  return (
    <html>
      <head>
        <script
          async
          src="https://cdn.consentlayer.dev/v1/cl.js"
          data-key="cl_live_a7f3…2b91"
        />
      </head>
      <body>{children}</body>
    </html>
  );
}

Every deploy triggers a fresh scan.

The scanner crawls your site and classifies every cookie and third-party request. New scripts get an “unassigned” badge until you (or an agent) categorize them.

  • One-click “Block / Allow / Categorize” per finding
  • Surfaces marketing-team additions before your DPO does
  • Public markup only, no crawling behind auth
scanner · 2 unreviewed Live
LI
LinkedIn Insight Tag
first-seen 12m ago · suggested: Marketing
HJ
Hotjar Recording
first-seen 1h ago · suggested: Analytics
GA
Google Analytics 4
categorized: Analytics · approved
Live
ST
Stripe.js
categorized: Necessary · approved
Live

Agents read the rules. And honor them.

The .well-known/consent.json file is auto-generated from your settings. The MCP server lets Claude, Operator, and Perplexity record signed decisions on the visitor’s behalf.

  • Verified agent tokens map to per-user consent
  • Default policy (Strict / Standard / Permissive) for unverified agents
  • Same audit log as your human visitors
GET /.well-known/consent.json 200 OK · 248 ms 
{
  "version": "1.0",
  "site": "northwind.app",
  "mcp": "https://northwind.app/mcp/consent",
  "categories": {
    "necessary":  true,
    "analytics":  false,
    "marketing":  false
  },
  "agent_default": "strict",
  "signed_by": "cl_live_a7f3…2b91",
  "signature": "sha256=4f1b…"
}

Every event, signed and stored.

Every settings change, banner decision, and agent fetch is logged with a signed receipt. Export a compliance bundle for any auditor in one click.

  • 7-year retention, queryable by API
  • HMAC-SHA256 webhook signatures
  • Stream to your warehouse via the firehose
Audit log · last 24h
RM
Rohan Mehta updated banner copy · EU
“We value your privacy” → “Cookies on northwind.app”
12:48 UTC
signed
AI
Claude (Anthropic) fetched policy · receipt issued
decision: reject analytics · jwt: eyJhbGciOi…
12:31 UTC
signed
SK
Sasha Kim approved LinkedIn Insight · Marketing
via scanner queue · auto-categorized
11:09 UTC
signed
JV
Jamie Vu rotated webhook secret
env: production · key id: whsec_8ad…
09:42 UTC
signed
Why ConsentLayer

Why engineering teams ship ConsentLayer.

Shipping compliance isn’t luck. It’s a system.

/ frameworks

One snippet. Every framework.

A single <script async> tag works in Next.js, Remix, Nuxt, Astro, WordPress, or plain HTML. Framework-specific install pages give you copy-paste snippets with the right hydration strategy already chosen.

Read the install guide
“Replaced our OneTrust integration in an afternoon. The Next.js snippet just worked, including Server Components.”
[NAME], [Title], [Company] Placeholder
app/layout.tsx 
// 1 · Drop this in your <head>. That's the install.
<script
  async
  src="https://cdn.consentlayer.dev/v1/cl.js"
  data-key="cl_live_a7f3…2b91"
  data-region="auto"
/>

// 2 · Optional — react to consent changes
window.consentlayer.on('change', (state) => {
  analytics.toggle(state.analytics);
  ads.toggle(state.marketing);
});

// Same two steps in every framework.
/ agents

Agents are first-class users.

ConsentLayer publishes a signed, machine-readable policy at /.well-known/consent.json, exposes an MCP server, and mints portable consent receipts. AI browsing agents read the rules and honor them, so there's no broken automation and no privacy lawsuits.

View the MCP spec
"We treat ConsentLayer's MCP server like an internal tool. Operator respects the policy automatically."
[NAME], [Title], [Company] Placeholder
Human view
We value your privacy
We use cookies to measure traffic and personalise content.
Necessary
Analytics
Marketing
→ logged · receipt: jwt
Agent view · MCP
$ curl northwind.app/.well-known/consent.json

{
  "necessary": true,
  "analytics": false,
  "marketing": false,
  "region": "EU",
  "mcp": "…/mcp/consent",
  "signed_by": "cl_live…2b91"
}
→ same decision · same receipt
/ scanner

The scanner is the input, not the chore.

Every deploy triggers a fresh scan. New 3rd-party scripts surface in your inbox with a suggested category and a one-click "accept" or "block". You're not auditing cookies; you're approving a queue.

See a sample scan
"We discovered three trackers our marketing team had added without telling us. The scanner caught it the same day."
[NAME], [Title], [Company] Placeholder
Inbox · 5 new trackers deploy 1284
LI
LinkedIn Insight Tag
added by deploy · suggested Marketing
HJ
Hotjar Recording
added by deploy · suggested Analytics
GA
Google Analytics 4
added by deploy · suggested Analytics
SG
Segment.js
added by deploy · suggested Analytics
?
vital-pixel.io
unknown vendor · suggested Review
/ type safety

Type-safe, signed, validated.

Every API call is fully typed in TypeScript. Every webhook payload is HMAC-SHA256 signed. Every receipt is a verifiable JWT. Zod schemas ship with the SDK so you fail at compile time, not in production.

Open the SDK reference
"I bound the webhook to a Zod schema and the rest wrote itself. No 'undefined is not a function' at 2am."
[NAME], [Title], [Company] Placeholder
webhook.ts · TypeScript ✓ typechecked 
import { verify } from '@consentlayer/sdk';
import type { ConsentDecision } from '@consentlayer/sdk';
import { z } from 'zod';

const schema = z.object({
  decision: z.enum(['accept', 'reject', 'custom']),
  receipt:  z.string(),
  agent:    z.string().optional(),
});

export async function POST(req) {
  const body = await verify(req); // HMAC-SHA256
  const data: ConsentDecision = schema.parse(body);
  // data.decision is narrowed. typed. signed. done.
}
type ConsentDecision = {
decision: "accept" | "reject" | "custom";
receipt: string;
agent?: string;
}
Imported from @consentlayer/sdk
/ audit

Audit log auto-generated.

Every settings change, banner interaction, and agent decision is recorded with a cryptographic signature. Generate a regulator-ready bundle in one click. No spreadsheet exports, no last-minute scrambling.

View a sample export
"Our SOC 2 auditor accepted ConsentLayer's export bundle as-is. First time that's happened with any consent vendor."
[NAME], [Title], [Company] Placeholder
Audit log · last 24h
RM
Rohan Mehta updated EU banner copy
v4.2 → v4.3 · diff: 2 strings
12:48
signed
AI
Operator (OpenAI) fetched policy · agent flow
decision: reject marketing · jwt issued
12:31
signed
SK
Sasha Kim approved 2 trackers from scanner queue
LinkedIn Insight, Hotjar
11:09
signed
CL
ConsentLayer auto-scan completed · deploy 1284
2 new trackers queued for review
10:54
signed
CC
Claude Code fetched policy via MCP
decision: reject analytics · jwt issued
10:12
signed
/ performance

Sub-3 KB. Edge-deployed. CWV-safe.

The loader is <3 KB gzipped and served from 280+ PoPs. It runs before any tracker, blocks them until consent, and never paints over your hero. Pass Core Web Vitals without negotiating with your ops team.

View benchmarks
"Our LCP dropped 180ms after switching from a previous CMP. The loader is genuinely tiny."
[NAME], [Title], [Company] Placeholder
Loader order · northwind.app
LCP 1.2s
cl.js (consent)
38ms
html · LCP image
420ms
ga4.js
+204ms
linkedin-insight
+243ms
hotjar.js
+312ms
cl.js: 2.8 KB gz · runs first, blocks trackers until consent 280+ PoPs
Customers

Engineering teams shipping with ConsentLayer.

"We swapped our CMP three days before a GDPR audit. ConsentLayer's audit bundle exported in 30 seconds and the auditor signed off on the spot."

MC
Maya Chen
Engineering Lead · Ridgepoint

"The MCP integration is what sold our security team. Operator and our internal agents now respect consent rules without us writing glue code."

DO
Daniel Okonkwo
Staff Engineer · Northwind

"Migrated 47 sites from Cookiebot in a week. The TypeScript SDK and framework presets made it copy-paste across the entire portfolio."

PI
Priya Iyer
Platform Lead · Hexlane

"The TypeScript SDK is the first one in this space that didn't make us fork it. Zod schemas, signed webhooks, JWT receipts. We just consumed it."

JB
Jonas Berg
Head of Engineering · Caldera

"LCP dropped 180ms after we cut over from our old CMP. The loader is genuinely sub-3KB and it runs before anything else on the page."

SM
Sara Mendoza
Security Engineer · Brink.io

"Our team builds with Cursor and Claude Code. Being able to say 'add ConsentLayer to this site' and have it just work end-to-end is wild."

AP
Aiden Park
Developer Experience · Helixly
FAQ

Frequently asked questions

Have questions about ConsentLayer? We've got answers.

What is ConsentLayer?

A consent management platform (CMP) that handles GDPR, CCPA, and LGPD compliance for your site. Drop in one snippet, get a cookie banner, a scanner that finds trackers, a machine-readable policy AI agents can read, and a full audit trail.

How is this different from Cookiebot, iubenda, or OneTrust?

Same compliance coverage, two differences. First, ConsentLayer treats AI browsing agents as first-class consenters: they fetch a signed policy and honor it automatically. Second, the developer experience is built for engineering teams: typed SDK, signed webhooks, framework presets, MCP integration, and a CLI.

What does "agentic-first" mean for my site?

Today, AI agents like ChatGPT Operator, Claude Computer Use, and Perplexity Browse visit websites on behalf of users. ConsentLayer publishes a .well-known/consent.json policy those agents fetch before loading scripts or storing data, so your compliance covers AI traffic the same way it covers human traffic.

How long does setup take?

Five minutes. Add one <script async> tag to your <head>, log in, and the scanner starts cataloging your trackers automatically. The default banner ships with reasonable copy in 14 languages.

Do you support TCF v2.2 for ad tech?

Yes. The IAB Transparency & Consent Framework v2.2 is supported on Growth and above. Vendor lists update automatically.

Can AI agents really make consent decisions for users?

Yes, when the agent carries a verified consent token from its operator. Anthropic, OpenAI, and Perplexity all support agent-carried tokens. For unverified agents, you set a default policy (Strict / Standard / Permissive) per site.

What does the free tier include?

One site, up to 10,000 monthly visits, unlimited cookies and categories, full agent policy + MCP, weekly scans, and the standard banner. Paid plans start at $19/site/month for higher traffic, custom banners, and SOC 2 logs.

Can I migrate from another CMP?

Yes. We provide a one-click import for Cookiebot, OneTrust, iubenda, and Ketch config exports. The scanner re-validates everything against your actual site on first run.

Ship consent for every visitor. It's that simple.

Join the engineering teams using ConsentLayer to gate scripts, audit decisions, and stay compliant across humans, agents, and every region.

Get started, it's free
No credit card required Install in 5 minutes GDPR / CCPA / LGPD ready