Skip to main content

Core Concepts

A quick guide to the building blocks of ConsentForge.

Tenant

Your account. Everything belongs to a tenant — users, properties, vendors, billing. When you sign up, a tenant is created for you.

Property

A single website or app. One embed token per property. A property has:

  • Its own banner configuration
  • Its own vendor list
  • Its own policy
  • Its own scan history
  • Its own consent receipts

Example: example.com and shop.example.com can be two separate properties, or one (if they share the same token).

Policy

The rulebook for what consent means on a property. A policy defines:

  • Which categories exist (Necessary, Analytics, Marketing, etc.)
  • Which purposes are covered
  • Which regions the policy applies to (EU, US, Global)
  • What vendors fall under each category

Policies are versioned. Every consent receipt references the exact policy version active when the user decided.

The visual and behavioral configuration of your consent banner:

  • Layout (bottom bar, modal, corner float)
  • Colors, fonts, logo
  • Button labels and descriptions
  • Preference center structure

Vendor

A third-party service that processes data on your site. Google Analytics, Meta Pixel, HubSpot, YouTube — these are all vendors. ConsentForge maintains a library of 300+ pre-configured vendors with multilingual descriptions.

A tamper-proof record of a single consent decision. Contains:

  • Timestamp (UTC)
  • User agent (hashed)
  • IP address (hashed)
  • Choices made (accepted/rejected per category)
  • Policy version at time of decision
  • Banner version at time of decision

Receipts are chained via HMAC — you can verify no receipt has been altered.

Embed Token

The unique identifier for your property, used in the script tag. Looks like: cf_live_abc123xyz...

Never expose your API key in the browser. The embed token is safe to use publicly — it's scoped to read-only runtime operations.

Distribution Target

Somewhere consent signals are sent after a user decides. Examples:

  • Google Tag Manager (dataLayer push)
  • Google Consent Mode (gtag consent update)
  • Webhook endpoint (your backend)
  • Meta (Consent API)

Scan / Finding

A scan crawls your site and detects third-party scripts and cookies. Each detected tracker is a finding. Findings can be assigned to vendors in your policy.