Implementation Guidance

This page walks you through how to implement the CMP API solution in your application.

Application Launch

OneTrust recommends calling the Banner and Preference Center API on each app launch to determine whether a banner needs to be shown and retrieve consent status, respectively.

After the first/initial API call, it will be the application's responsibility to store the otConsentString in local storage and send it in subsequent calls for any of the APIs used. The otConsentString should be updated once a new one from the latest API used is received and passed into the next API call. Rinse and repeat.


Cross device consent

When you need to retrieve a user's consent profile (e.g. upon login or app launch), the app should call both the Banner and Preference Center API (passing in the identifier, JWT, and fetch type) to determine if a banner needs to be shown and retrieve consent preferences.

User Interface

The application is responsible for providing the UI but OneTrust provides the necessary data to seed the UI. View the Get Banner UI _and _Get Preference Center UI pages for more information.

If you're retrieving an IAB TCF Vendor List, make sure you include both the otConsentString and OT-Tcf-Eu2v2-Consent-String in the header to ensure the correct consentStatus and legIntStatus for each vendor is returned. The vendor list API will also only return active vendors as configured in admin UI.

Saving Consent

As the user makes a consent choice on the banner or preference center, the application can save the consent with the Save and Log Consent API.

If you use any of the ALLOW_ALL or REJECT_ALL interaction types, you can leave the keys in the consent body empty. The consent status will only have to be specified when using any of the CONFIRM interaction types.

If you're updating consent for an IAB TCF vendor, you only have to update the vendor whose consent is changing, you won't have to update all of them.

Cross Device Consent

Retrieving User Profiles

To retrieve a user's profile, ensure you're passing OT-Identifier, OT-Sync-Profile-Auth, and OT-Fetch-Type into the Banner and Preference Center API calls.

Updating/Creating User Profiles

To update or create a user's profile, ensure you are passing OT-Identifier, OT-Sync-Profile-Auth, and OT-Fetch-Type into the Save and Log Consent API call. If these keys are not passed with the correct JWT for the identifier, profiles will not be created or updated (i.e. isAnonymous is set to true).

Storage Data

The application is responsible for storing the following data in local storage and updating the values on each app launch or consent change.


This string can be stored in private storage locally as it's only used by the CMP API service.


If IAB TCF or GPP is in scope, a storageKey object will be returned in the response of the banner, preference center, and save consent APIs. The application should store all data in this object in common storage. On any subsequent calls of the three aforementioned APIs, the storageKey values should be updated.

Handling Consent Changes

When a user makes or updates their consent choices, the application needs to become aware so that it can control the next set of actions like:

  • Allowing or restricting processing of 3rd party SDKs based on their categorization
  • Passing latest user consent values to 3rd Party SDKs
  • Passing the IAB's encoded TC String to 3rd party SDKs
  • Passing the IAB's USP String to 3rd Party SDKs
  • Routing the User to another location in the App
  • Displaying messages to the User of their changes
  • Logging updates to internally owned APIs
  • etc...

In order to retrieve user consent, a call should be made to the Preference Center API with the latest otConsentString and IAB strings if applicable. From the response, the app should then parse the Purposesobject and reference the consentStatus for each applicable purpose/category.