ConsentLayer MCP server
Set up cookie consent with an AI agent
ConsentLayer ships a hosted MCP server at api.consentlayer.com/mcp. Connect it to Claude Code, Cursor, or any MCP client, and one prompt provisions your site, scans it for trackers, configures consent categories, and returns the install snippet with a real project key — not a placeholder.
> set up cookie consent for this site → calling setup_site … site provisioned ✓ → scanning mysite.example … 12 services detected → services sorted into consent categories ✓ install snippet ready — added to <head> ✓ banner live · trackers blocked until consent ▸ review it: app.consentlayer.com
Connect
One command. Any MCP client.
Authentication happens in your browser the first time the agent connects — there are no API keys to create, copy, or accidentally commit.
Claude Code
$ claude mcp add consentlayer \ --transport http \ "https://api.consentlayer.com/mcp"
Then ask: “set up cookie consent for this site”.
Guided setup
$ npx -y @consentlayer/mcp setup
Detects your MCP client and writes the config for you. Works for Cursor and other MCP-capable editors.
Any MCP client
{ "mcpServers": {
"consentlayer": {
"url": "https://api.consentlayer.com/mcp"
} } }
Streamable HTTP transport. Add it to your client’s MCP config and you’re connected.
Under the hood
What your agent actually does.
The fast path is a single tool call — setup_site provisions the site, scans it, configures categories, and returns the install snippet. Agents that want step-by-step control get a dedicated tool for every step.
01 / provision
Create the site
create_site provisions the domain with a default banner and three consent categories (essential, statistics, marketing) — or setup_site does this and every step below in one call.
02 / scan
Scan for trackers
scan_site crawls the site and detects tracking scripts and cookies — Google Analytics, Meta Pixel, Hotjar and more. configure_from_scan sorts what it finds into the right categories.
03 / configure
Banner, behavior, regions
update_banner_config sets the design; update_site_behavior toggles script blocking, Global Privacy Control, and Google Consent Mode; add_geolocation_group_from_template applies GDPR, CCPA, or LGPD rules by region.
04 / install
Snippet & verify
get_setup_snippet returns the script tag with your real project key — it goes in <head> without defer or async, so it runs before trackers do. get_compliance_score then grades the setup 0–100 with a punch list of anything missing.
/ ongoing
Setup is just the start.
The same MCP server runs the whole platform, so your agent can keep the site compliant after launch — not just install a banner and disappear.
- Re-scan and diff:
scan_site+get_scan_diffsurface newly added trackers - Review queue: approve or dismiss scripts the scanner couldn’t auto-classify
- Audit trail:
list_consent_recordsfilters decisions by date, country, and banner version - Scale it:
export_site_configclones a tuned setup to the next client site
FAQ
Agents have questions too.
Is the MCP server free to use?
Yes — the MCP server, REST API, and JS SDK are available on every plan, including Free. Connect it, set up a site, and go live without entering a card.
Which AI tools can I use it with?
Claude Code, Cursor, and any client that speaks MCP over streamable HTTP. The server lives at https://api.consentlayer.com/mcp; the @consentlayer/mcp npm package can write your client config for you.
Do I need an API key?
No. The first time your agent connects, your browser opens to authorize it — standard OAuth. There are no keys to create, paste into config files, or accidentally commit to a repo.
My AI tool already generated a cookie banner. Am I covered?
Usually not. Banners generated by a prompt are typically cosmetic — they show buttons, but tracking scripts still fire before anyone clicks them, and no decision is recorded anywhere. ConsentLayer blocks trackers until the visitor consents and logs every decision, which is the part regulators actually care about.
Can the agent break or delete my setup?
Configuration changes are just settings you can review and adjust in the dashboard at any time. The one destructive operation — deleting a site — requires the site’s domain to be passed back as explicit confirmation, so an agent can’t do it by accident.
Does it handle Google Consent Mode v2?
Yes. Consent categories map to Google’s ad_storage, analytics_storage, ad_user_data, and ad_personalization signals, and your agent can toggle Consent Mode with update_site_behavior.
Ship consent for every visitor. It’s that simple.
Join the engineering teams using ConsentLayer to gate scripts, audit decisions, and stay compliant across humans, agents, and every region.
No credit card required
Install in 5 minutes
GDPR / CCPA / LGPD ready