Consent Receipts

A consent receipt is a tamper-proof record of a single consent decision. Every time a visitor accepts, rejects, or changes their consent, a receipt is created.

Receipt contents

{
  "id": "rec_01HXYZ123456",
  "property_id": "prop_abc",
  "policy_id": "pol_def",
  "policy_version": 3,
  "banner_version": 7,
  "timestamp": "2026-03-09T12:34:56Z",
  "event_type": "consent.created",
  "choices": {
    "necessary": true,
    "analytics": true,
    "marketing": false,
    "functional": true
  },
  "region": "DE",
  "user_agent_hash": "sha256:a1b2c3...",
  "ip_hash": "sha256:d4e5f6...",
  "previous_receipt_id": null,
  "hmac": "sha256:g7h8i9..."
}

Fields explained

Field	Description
`id`	Unique receipt identifier
`policy_version`	Exact policy version active at time of decision
`banner_version`	Banner configuration version
`timestamp`	UTC timestamp of the decision
`event_type`	`consent.created`, `consent.updated`, or `consent.revoked`
`choices`	Per-category accept/reject decisions
`region`	GeoIP-detected region of visitor
`user_agent_hash`	SHA-256 of user agent string
`ip_hash`	SHA-256 of IP address
`previous_receipt_id`	Links to prior receipt (null for first decision)
`hmac`	HMAC-SHA256 signature for tamper detection

Viewing receipts

Dashboard → Property → Evidence → Receipts

Search by: date range, region, choice (accepted/rejected analytics, etc.).

Receipt retention

Receipts are stored for 7 years to support GDPR audit requirements (Art. 7(1) GDPR requires demonstrating that consent was given).

Verifying a receipt

The hmac field lets you verify that a receipt hasn't been altered. See Audit Chain for verification instructions.

Receipt API

Receipts are available via the API:

GET /api/v1/receipts?property_id=prop_abc&from=2026-01-01
Authorization: Bearer YOUR_API_TOKEN

Requires scope: receipts:read

Receipt contents​

Fields explained​

Viewing receipts​

Receipt retention​

Verifying a receipt​

Receipt API​