OneTrust is committed to providing reliable and timely API services. As such, we are working based on certain service level objectives (SLOs) to maintain the integrity of the services. For clarity, these service levels are objectives only and not a commitment or guarantee.

Overview

CMP Extensible SDK APIs are in an available state 99% of the time. Requests have a P95 latency of < 500ms and P99 latency of < 1 second. Less than 0.5% of requests return a 5XX error status response.

👍
The service is considered available when the service is above its Service Level Objective (SLO) and the error rate is below its Service Level Objective (SLO). The service needs to simultaneously meet both of its SLO targets to be considered available. If either target is not met, the service is considered unavailable.
For example, if the service becomes unavailable for a 10-minute period, the availability score will be 99.90% for the week and 99.97% for the month.

📘
These SLOs are based on actual production metrics monitored via DataDog Dashboard for CMP API over the past 90 days, showing consistent performance of 99.93-99.97% availability.

Availability during Maintenance Periods

All CMP API endpoints remain available during maintenance windows because they are edge-deployed on Cloudflare's global network.

Read endpoints: The read endpoints continue serving from edge cache during maintenance. These endpoints are edge-cached and continue to serve from Cloudflare's cache with minimal impact during maintenance windows.

API Name API Path
Get Banner Data GET /banner
Get Preference Center Data GET /preferences
Get Universal Consent Purposes GET /uc-purposes
Get IAB and Google Vendors GET /vendors
Write endpoint: The write endpoint also remains available. API Consumers should implement retry logic with exponential backoff and queue failed consent payloads for later submission.

API Name API Path
Log Consent POST /save-log-consent

API Name	API Path
Get Banner Data	GET /banner
Get Preference Center Data	GET /preferences
Get Universal Consent Purposes	GET /uc-purposes
Get IAB and Google Vendors	GET /vendors

API Name	API Path
Log Consent	POST /save-log-consent

API Response

All CMP Extensible SDK APIs have the following latency characteristics:

Percentile	Latency (TTFB) Target	Applies to
P95	< 500 ms	All endpoints: GET /banner GET /preferences GET /vendors GET /uc-purposes POST /save-log-consent
P99	< 1 second	All endpoints: GET /banner GET /preferences GET /vendors GET /uc-purposes POST /save-log-consent

These latency targets are based on actual production performance data. Typical response times are significantly lower, with most requests completing in under 200ms due to edge caching.

For more information, see the API Reference Documentation.

API Performance

POST /save-log-consent writes to storage in < 5 seconds 99% of the time.
Consent receipt is available for downstream integrations in < 5 seconds 99% of the time.

Data Availability

Configuration changes published in the OneTrust admin console are reflected in GET /banner, GET /preferences, GET /uc-purposes , and GET /vendors in up to 10 minutes 99% of the time.
New consent data is available in GET /banner and GET /preferences (cross-device sync) in up to 30 seconds 99% of the time.
Vendor list updates are reflected in GET /vendors in up to 10 minutes 99% of the time.

Rate Limiting

The CMP Extensible SDK APIs (Cloudflare Worker endpoints) do not enforce rate limits at the edge. However, the downstream Consent API used by POST /save-log-consent may have rate limits for consent recording operations.

Clients (API consumers) should implement reasonable retry logic with exponential backoff for any 5XX errors or timeouts.

Example Workflow Scenarios

Scenario #1 – Banner Display

When a call is made to GET /banner, the SDK receives banner configuration data including show/hide logic, geolocation rules, and IAB TCF/GPP consent strings within 1 second (P99), typically under 500ms (P95). On subsequent calls, cached responses are typically returned in under 200ms.

Scenario #2 – Consent Logging

When a user interacts with the Banner or Preference Center, the SDK calls POST /save-log-consent with the consent model payload. The API returns storage keys, receipt ID, and updated OT consent string within 1 second (P99). The consent receipt is written to storage and available for downstream integrations within 5 seconds.

Scenario #3 – Cross-Device Profile Sync

When CMP APIs are called with the header OT-Fetch-Type: APP_DATA_AND_SYNC_PROFILE, the worker fetches both application data and the synchronized profile for the current identifier so consent can be reused across devices for the same profile. Separately, when POST /save-log-consent is called with interactionType: SYNC_PROFILE, that interaction is used to sync consent from one profile/identifier to another profile/identifier. The API responds within 1 second (P99). Updated profile preferences are available from subsequent GET /preferences calls within 30 seconds.

Scenario #4 – Preference Center Rendering

When a call is made to GET /preferences , the SDK receives preference center data including purpose groups, consent statuses, and IAB vendor information within 1 second (P99), typically under 500ms (P95). This data is used to render the Preference Center UI.

Scenario #5 – Configuration Updates

When a configuration change is published in the OneTrust admin console (e.g., banner text, purpose descriptions, geolocation rules), the updated configuration is reflected in API responses within 10 minutes due to edge cache TTL.

API Endpoints

All CMP Extensible SDK APIs are available at the following base path:

/cfw/cmp/v1

Available Hosts

cdn.cookielaw.org
cdn-apac.onetrust.com
cdn.au.onetrust.com
cdn-ukwest.onetrust.com
cookie-cdn.cookiepro.com
mobile-data.onetrust.io

Public Endpoints

Method	Endpoint	API Documentation
GET	/banner	Get Banner Data
GET	/preferences	Get Preference Center Data
GET	/vendors	Get IAB and Google Vendors
GET	/uc-purposes	Get Universal Consent Purposes
POST	/save-log-consent	Log Consent