Skip to main content

API and webhooks

The API and Webhooks page has three tabs: API Key, REST API and Webhooks. The page is scoped to the domain selected at the top of the dashboard.

Domain ID

Every domain has a Domain ID. This is the public key used in your install snippet. It is visible in your page source by design. The API Key tab shows it along with the ready-to-paste script embed:

<script src="https://cdn.optsens.com/optsens.min.js/YOUR_DOMAIN_ID"></script>

Copy the ID or the full snippet from this tab. See Install OptSens for placement.

Regenerate the Domain ID

You can generate a new Domain ID from the same tab.

Regenerating breaks live integrations

The current Domain ID is invalidated immediately. The banner stops loading on your site until you update the new ID everywhere you use it: the script tag, Google Tag Manager, the WordPress plugin, the Shopify app, and any REST API calls. Update your setup right after regenerating.

REST API

The REST API tab is available on the Business plan. On lower plans the tab is locked and prompts an upgrade.

The full endpoint reference, authentication and rate limits live in the API reference.

Webhooks

Webhooks are also a Business plan feature. They notify your endpoint in real time when consent events happen on the domain.

  • Add up to 5 webhooks per domain.
  • Each webhook gets a signing secret, shown once when created. Store it securely.
  • You can test a webhook, toggle it active or inactive, view its delivery log, and regenerate its secret.

Verifying signatures

Every delivery carries a signature that confirms it came from OptSens. The request carries two headers:

HeaderPurpose
X-OptSens-SignaturePayload signature, in the form v1=<hex digest>
X-OptSens-TimestampTimestamp the signature was computed with

The signed message is the timestamp, a dot, then the raw request body. Compute its hex HMAC-SHA256 with your signing secret and prefix the result with v1=:

v1=HMAC-SHA256(secret, timestamp + "." + body)

Compare that against X-OptSens-Signature. If they match, the delivery is authentic. Regenerating the secret invalidates the old one. Update your handler when you rotate it.