> ## Documentation Index
> Fetch the complete documentation index at: https://developer.onetrust.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CMP API Service Level Objectives

OneTrust is committed to providing reliable and timely API services. As such, we are working based on certain service level objectives (SLOs) to maintain the integrity of the services. For clarity, these service levels are objectives only and not a commitment or guarantee.

# Overview

CMP Extensible SDK APIs are in an available state **99%** of the time. Requests have a P95 latency of **< 500ms** and P99 latency of **< 1 second**. Less than **0.5%** of requests return a 5XX error status response.

> 👍
>
> The service is considered **available** when the service is above its Service Level Objective (SLO) and the error rate is below its Service Level Objective (SLO). The service needs to simultaneously meet both of its SLO targets to be considered available. If either target is not met, the service is considered unavailable.
>
> For example, if the service becomes unavailable for a 10-minute period, the availability score will be 99.90% for the week and 99.97% for the month.

> 📘
>
> These SLOs are based on actual production metrics monitored via DataDog Dashboard for CMP API over the past 90 days, showing consistent performance of 99.93-99.97% availability.

# Availability during Maintenance Periods

All CMP API endpoints remain available during maintenance windows because they are edge-deployed on Cloudflare's global network.

* **Read endpoints:** The read endpoints continue serving from edge cache during maintenance. These endpoints are edge-cached and continue to serve from Cloudflare's cache with minimal impact during maintenance windows.

  | API Name                       | API Path         |
  | :----------------------------- | :--------------- |
  | Get Banner Data                | GET /banner      |
  | Get Preference Center Data     | GET /preferences |
  | Get Universal Consent Purposes | GET /uc-purposes |
  | Get IAB and Google Vendors     | GET /vendors     |
* **Write endpoint:** The write endpoint also remains available. API Consumers should implement retry logic with exponential backoff and queue failed consent payloads for later submission.

  | API Name    | API Path               |
  | :---------- | :--------------------- |
  | Log Consent | POST /save-log-consent |

# API Response

All CMP Extensible SDK APIs have the following latency characteristics:

[block:parameters]
{
  "data": {
    "h-0": "Percentile",
    "h-1": "Latency (TTFB) Target",
    "h-2": "Applies to",
    "0-0": "**P95**",
    "0-1": "\\< 500 ms",
    "0-2": "All endpoints:  \nGET /banner  \nGET /preferences  \nGET /vendors  \nGET /uc-purposes  \nPOST /save-log-consent",
    "1-0": "**P99**",
    "1-1": "\\< 1 second",
    "1-2": "All endpoints:  \nGET /banner  \nGET /preferences  \nGET /vendors  \nGET /uc-purposes  \nPOST /save-log-consent"
  },
  "cols": 3,
  "rows": 2,
  "align": [
    "left",
    "left",
    "left"
  ]
}
[/block]

These latency targets are based on actual production performance data. Typical response times are significantly lower, with most requests completing in under 200ms due to edge caching.

For more information, see the [API Reference Documentation](https://developer.onetrust.com/onetrust/reference).

# API Performance

* POST /save-log-consent writes to storage in **< 5 seconds** 99% of the time.
* Consent receipt is available for downstream integrations in **< 5 seconds** 99% of the time.

# Data Availability

* Configuration changes published in the OneTrust admin console are reflected in GET /banner, GET /preferences, GET /uc-purposes , and GET /vendors in up to **10 minutes** 99% of the time.
* New consent data is available in GET /banner and GET /preferences (cross-device sync) in up to **30 seconds** 99% of the time.
* Vendor list updates are reflected in GET /vendors in up to **10 minutes** 99% of the time.

# Rate Limiting

The CMP Extensible SDK APIs (Cloudflare Worker endpoints) do not enforce rate limits at the edge. However, the downstream Consent API used by POST /save-log-consent may have rate limits for consent recording operations.

Clients (API consumers) should implement reasonable retry logic with exponential backoff for any 5XX errors or timeouts.

# Example Workflow Scenarios

## Scenario #1 – Banner Display

When a call is made to GET /banner, the SDK receives banner configuration data including show/hide logic, geolocation rules, and IAB TCF/GPP consent strings within 1 second (P99), typically under 500ms (P95). On subsequent calls, cached responses are typically returned in under 200ms.

## Scenario #2 – Consent Logging

When a user interacts with the Banner or Preference Center, the SDK calls POST /save-log-consent with the consent model payload. The API returns storage keys, receipt ID, and updated OT consent string within 1 second (P99). The consent receipt is written to storage and available for downstream integrations within 5 seconds.

## Scenario #3 – Cross-Device Profile Sync

When CMP APIs are called with the header `OT-Fetch-Type: APP_DATA_AND_SYNC_PROFILE`, the worker fetches both application data and the synchronized profile for the current identifier so consent can be reused across devices for the same profile. Separately, when POST /save-log-consent is called with `interactionType: SYNC_PROFILE`, that interaction is used to sync consent from one profile/identifier to another profile/identifier. The API responds within 1 second (P99). Updated profile preferences are available from subsequent GET /preferences calls within 30 seconds.

## Scenario #4 – Preference Center Rendering

When a call is made to GET /preferences , the SDK receives preference center data including purpose groups, consent statuses, and IAB vendor information within 1 second (P99), typically under 500ms (P95). This data is used to render the Preference Center UI.

## Scenario #5 – Configuration Updates

When a configuration change is published in the OneTrust admin console (e.g., banner text, purpose descriptions, geolocation rules), the updated configuration is reflected in API responses within 10 minutes due to edge cache TTL.

# API Endpoints

All CMP Extensible SDK APIs are available at the following base path:

```Text Base path
/cfw/cmp/v1
```

## Available Hosts

* cdn.cookielaw\.org
* cdn-apac.onetrust.com
* cdn.au.onetrust.com
* cdn-ukwest.onetrust.com
* cookie-cdn.cookiepro.com
* mobile-data.onetrust.io

## Public Endpoints

| Method | Endpoint          | API Documentation                                                                                  |
| :----- | :---------------- | :------------------------------------------------------------------------------------------------- |
| GET    | /banner           | [Get Banner Data](https://developer.onetrust.com/onetrust/reference/get_banner)                    |
| GET    | /preferences      | [Get Preference Center Data](https://developer.onetrust.com/onetrust/reference/get_preferences)    |
| GET    | /vendors          | [Get IAB and Google Vendors](https://developer.onetrust.com/onetrust/reference/get_vendors)        |
| GET    | /uc-purposes      | [Get Universal Consent Purposes](https://developer.onetrust.com/onetrust/reference/get_ucpurposes) |
| POST   | /save-log-consent | [Log Consent](https://developer.onetrust.com/onetrust/reference/post_logconsent)                   |