Info
Content

Integrating the CMP API for Apps

In some cases the existing SDKs cannot be used and custom intergations are neccessary. In this case app developers can use the CMP API for Apps in order to manually integrate the CMP into their app.

Workflow

The CMP API for Apps is used in the following order:

  1. The app will query the consentmanager server once per day (first start of the app on this day). It will send the existing consent information and ask the consentmanager server whether or not the user needs to be asked for consent (again).
  2. Depending on the response from the consentmanager server, the app will display the consent layer in a webview. The user can get informed and make their choices.
  3. When the user is done, the webview will communicate this to the app. The app will close the webview and process the consent information.
  4. The app can then use the consent information for its own data processing.

1. Querying the consentmanager server

As the first step, the app will send a HTTP request to:

https://[consentmanager-server]/delivery/appjson.php?id=[CMP-ID]&l=[Language]&idfa=[IDFA]&appname=[Appname]&consent=[Consent-Info]

Where the following macros are to be replaced by the app before sending:

  • [consentmanager-server] - Server-Domain (see Menu > Get Code > App SDK settings)
  • [CMP-ID] - ID of the CMP (see Menu > Get Code > App SDK settings)
  • [Language] - Language code for displaying the message (e.g. EN, FR, DE, ...)
  • [IDFA] - optional. IDFA of the app
  • [Appname] - optional. Name of the app for reporting purposes
  • [Consent-Info] - Consent-Information as received from the webview (base64 encoded version of consent data)

Example URL:

https://consentmanager.mgr.consensu.org/delivery/appjson.php?id=123456&l=FR&appname=my%20App&consent=Qxc2j2J8aN....

The response to this request is a JSON text like the following:

{
 "status":1, 
 "regulation":1, 
 "message":"", 
 "url":"https://consentmanager.mgr.consensu.org/delivery/appcmp.php?id=123456&consent=&appname=my%20App&l=FR"
 }

The fields in the respons are as follows:

Field Description
status

0=No consent neccessary, webview should not be shown

1=Consent neccessary, URL from field url should be shown in webview

2=Error occured, see message

regulation 0=no regulation settings, 1=GDPR applies, 2=CCPA applies, 3=LGPD applies, ...
message Error message to be displayed to the developer.
url URL to be shown in a webview

2. Displaying the webview

If the call to /delivery/appjson.php (see Step 1) resulted in status = 1, the app should use the value from field url and open it in a webview (Browser window embedded in the app). The URL will display a minimal HTML page which contains the web version of the CMP Code. The page also includes a "Skipp" link in order to avoid issues with JavaScript compability.

In order to display the CMP with all functions the webview should provide the following minimal features:

  • HTML 5 Support
  • CSS 3 Support
  • JavaScript 1.2 Support
  • DOM 3 Support
  • Minimal resolution of 300x300 pixels (preferably full width and min 80% height in portrait mode)
  • Open/navigate to URLs via https: protocol (e.g. privacy policies) by opening a new browser window
  • Capture when the webview tries to navigate to a URN starting with protocol "consent://"

The app should not allow the user to skipp the webview in any other way (e.g. by disabling the "back" button or similar features).

3. Processing the consent data

Once the user made their choices, the CMP will call a URN with protocol prefix consent:// followed by the consent information in base64-websafe encoded form. Example:

consent://Q083NU1KN084QXBEOEFmWlhDREVBOUNzQVBfQUFIX0FBQWlnR2t0Zl9YX2ZiMnZqLV81OTlfdDBlWTFmOV82M3Ytd3pqaGVOcy04TnlkX1hfTDRYdjJNeXZCMzZwcTRLdVI0a3UzYkJBUWR0SE9uY1RRbVJ3SWxWcVRMc2IwMk1yN05LSjdMRW1sc2JlMmRZR0g5dm45WFRfWktaNzBfX19fXzdfM19fX19fXzc3Xy1iXzRHa3RmX1hfZmIydmotXzU5OV90MGVZMWY5XzYzdi13empoZU5zLThOeWRfWF9MNFh2Mk15dkIzNnBxNEt1UjRrdTNiQkFRZHRIT25jVFFtUndJbFZxVExzYjAyTXI3TktKN0xFbWxzYmUyZFlHSDl2bjlYVF9aS1o3MF9fX19fN18zX19fX19fNzdfLWJfNENnS0FZQUNFQVhJQkFBQ2JBR3lBT29BcGdCWFlDLWdHSUFNakFhRURBQWdMYUNRREFBUWdDNUFJQUFUWUEyUUIxQUZNQUs3QVgwQXhBQmtZRFFnb0FFQmJRYUFZQUNFQVhJQkFBQ2JBR3lBT29BcGdCWFlDLWdHSUFNakFhRUhBQWdMYUVRREFBUWdDNUFJQUFUWUEyUUIxQUZNQUs3QVgwQXhBQmtZRFFoSUFFQmJRcUFZQUNFQVhJQkFBQ2JBR3lBT29BcGdCWFlDLWdHSUFNakFhRUxBQWdMYUdRREFBUWdDNUFJQUFUWUEyUUIxQUZNQUs3QVgwQXhBQmtZRFFob0FFQmJRNkFZQUNFQVhJQkFBQ2JBR3lBT29BcGdCWFlDLWdHSUFNakFhRVBBQWdMYUlRREFBUWdDNUFJQUFUWUEyUUIxQUZNQUs3QVgwQXhBQmtZRFFpSUFFQmJSS0FZQUNFQVhJQkFBQ2JBR3lBT29BcGdCWFlDLWdHSUFNakFhRVRBQWdMYUtRREFBUWdDNUFJQUFUWUEyUUIxQUZNQUs3QVgwQXhBQmtZRFFpb0FFQmJRI18xXzE5XyNfczIxOF9jNTk3NV9zMjNfYzUxNDdfczdfYzUxNjNfczFfczI2X3MxMzVfczExMDRfczE0MDlfczkwNV9zMTRfYzQ0OTlfYzUxMzZfYzY5MjVfYzUzMzVfYzUzMzRfYzUxNThfYzUyMjNfYzUxMzVfczM0X3MzMF9VXyMxLS0tIzF-My4yOTUzLjI4NTguMTk4Ni4xMS4yMzYuMTUuMjg2Ni4xMjMyLjI3MTAuMjIuMjg5Mi4xNDk2LjI0NDEuMjE3Ni4zNS4xOTYwLjI0NjcuMTMzNi44MjcuMTUxNC4xNjQyLjI3MDIuMzU5LjI2MzIuMjgwMy44NS4yMjE0LjIyNzYuOTMyLjEyNDguNTcuMjE0MS4yMjcxLjE1MTcuMjY2Mi4xNDA5LjE0NTEuNTg3Ljk5MS4xODM0LjE1NDcuMTg1OC4xNzQxLjExNjcuMTk4Ny4xNzc2LjEwNjMuMjY5OS4yOTU3LjI2NjMuMjk3MS4yMDYyLjI3ODYuMjQ1My45ODcuMjkzNi4yMTYuNTk1LjI5MTAuNjIuMjYyMi4xNTMuMTU0LjIzMjAuMTY1LjE3OC4xMjI1LjI4NDcuMzE3Ljc3Ni4xODguNzk3LjUzNy4xMzI5LjMxNi4xOTUuNDkyLjg5LjIwOS4xMTAwLjI3MjcuMjAxNi45NTUuMjIxLjE3MDUuMTI5OC4yMjkuMjI5LjI1ODYuMjc3OS4yNTA2LjEyNzUuMTczNS4yNzA1LjEyNi4yNjM5LjExNzIuMjU1LjIyNTEuMjU5Ny40OC4yMjk1LjI3MS4xNzYwLjYyMS4yNzQuMjgwOC4xNjc0LjI2NjYuMTg4My4xNTk4LjE1NDIuMTczOS4yNjg5LjYwOS4xNDIzLjEyLjE1MDMuMjk3Mi4xNzMzLjI5NC4xOTA1LjI0MTMuNzIzLjExOTkuMzEzLjcyNS4xMDUyLjU5MC4xNzgwLjMxMC4zMDMuMTM0NC4zMzYuMjQ2NC4yMTIxLjEwNDcuMjI0Ny40MzIuMzQ4LjE4ODIuMTIxMi4yNzA0LjIyOTAuMjQzNy4zNjMuMjI5OS4yNzc4LjEwNjIuMjA3OS4zNzAuMTg5Mi4yODQzLjExNzEuMzg0LjEzNC4yODY4LjI3ODAuMTAyOC4yODMyLjM5OC43ODIuMzQwLjE3OTEuMjQxMC4yMDU5LjE2MS4yMTcwLjE1MjAuMjgxMC4yNjQ5Ljk3Ni4yMzExLjE0MTkuNDM4LjMxNC4yNzA5LjE2NTIuNDQzLjIzODIuMTA3Mi4yODcyLjIwMTIuMjkyOC4yNzA2LjQ1OS4yMjc4LjE4MDEuNjI0LjEzMTMuMjgwMi4yMzQ2Ljg2LjIxOTIuMTk4NS4xODc1LjE2ODQuMTkxMS4yMDc4LjE3OTQuMTI1LjE3MTYuMTIzNi44MTQuMTAyOS40NzkuMTI0MS4xOTU4LjkzMy4xOTQ1LjE2MjYuNTAzLjUxMC4xODMxLjI0ODEuMjc3Ny4yNTkuMjkwNS4yNTEyLjUyOC4xNTA5LjI2MjQuMTg3Mi4xNzIwLjgwLjI3NTguMjQyMi4yODI5

The app will capture the navigation event, close the webview and process the data as follows:

  1. Do a websafe base64 decoding:
    1. replace all + with space
    2. replace all _ with /
    3. replace all - with +
    4. add = to the end of the string so that the length of the string can be devided by 4
    5. do a base64 decoding
    The above example string will result in the following decoded string:
    CO75MJ7O8ApD8AfZXCDEA9CsAP_AAH_AAAigGktf_X_fb2vj-_599_t0eY1f9_63v-wzjheNs-8Nyd_X_L4Xv2MyvB36pq4KuR4ku3bBAQdtHOncTQmRwIlVqTLsb02Mr7NKJ7LEmlsbe2dYGH9vn9XT_ZKZ70_____7_3______77_-b_4Gktf_X_fb2vj-_599_t0eY1f9_63v-wzjheNs-8Nyd_X_L4Xv2MyvB36pq4KuR4ku3bBAQdtHOncTQmRwIlVqTLsb02Mr7NKJ7LEmlsbe2dYGH9vn9XT_ZKZ70_____7_3______77_-b_4CgKAYACEAXIBAACbAGyAOoApgBXYC-gGIAMjAaEDAAgLaCQDAAQgC5AIAATYA2QB1AFMAK7AX0AxABkYDQgoAEBbQaAYACEAXIBAACbAGyAOoApgBXYC-gGIAMjAaEHAAgLaEQDAAQgC5AIAATYA2QB1AFMAK7AX0AxABkYDQhIAEBbQqAYACEAXIBAACbAGyAOoApgBXYC-gGIAMjAaELAAgLaGQDAAQgC5AIAATYA2QB1AFMAK7AX0AxABkYDQhoAEBbQ6AYACEAXIBAACbAGyAOoApgBXYC-gGIAMjAaEPAAgLaIQDAAQgC5AIAATYA2QB1AFMAK7AX0AxABkYDQiIAEBbRKAYACEAXIBAACbAGyAOoApgBXYC-gGIAMjAaETAAgLaKQDAAQgC5AIAATYA2QB1AFMAK7AX0AxABkYDQioAEBbQ#_1_19_#_s218_c5975_s23_c5147_s7_c5163_s1_s26_s135_s1104_s1409_s905_s14_c4499_c5136_c6925_c5335_c5334_c5158_c5223_c5135_s34_s30_U_#1---#1~3.2953.2858.1986.11.236.15.2866.1232.2710.22.2892.1496.2441.2176.35.1960.2467.1336.827.1514.1642.2702.359.2632.2803.85.2214.2276.932.1248.57.2141.2271.1517.2662.1409.1451.587.991.1834.1547.1858.1741.1167.1987.1776.1063.2699.2957.2663.2971.2062.2786.2453.987.2936.216.595.2910.62.2622.153.154.2320.165.178.1225.2847.317.776.188.797.537.1329.316.195.492.89.209.1100.2727.2016.955.221.1705.1298.229.229.2586.2779.2506.1275.1735.2705.126.2639.1172.255.2251.2597.48.2295.271.1760.621.274.2808.1674.2666.1883.1598.1542.1739.2689.609.1423.12.1503.2972.1733.294.1905.2413.723.1199.313.725.1052.590.1780.310.303.1344.336.2464.2121.1047.2247.432.348.1882.1212.2704.2290.2437.363.2299.2778.1062.2079.370.1892.2843.1171.384.134.2868.2780.1028.2832.398.782.340.1791.2410.2059.161.2170.1520.2810.2649.976.2311.1419.438.314.2709.1652.443.2382.1072.2872.2012.2928.2706.459.2278.1801.624.1313.2802.2346.86.2192.1985.1875.1684.1911.2078.1794.125.1716.1236.814.1029.479.1241.1958.933.1945.1626.503.510.1831.2481.2777.259.2905.2512.528.1509.2624.1872.1720.80.2758.2422.2829
  2. Split the data by #, you will receive 4 or more parts:
    1. Part: IAB TCF ConsentString (see https://iabeurope.eu/transparency-consent-framework/)
    2. Part: Purposes IDs (Consent; List of purpose IDs separated by _)
    3. Part: Vendors IDs (Consent; List of vendor IDs separated by _)
    4. Part: Google additional consent string (see https://support.google.com/admanager/answer/9681920)
    5. Part: IAB USP Privacy String (see https://iabtechlab.com/standards/ccpa/)
    6. Part: Purposes IDs (legitimate interest; List of purpose IDs separated by _)
    7. Part: Vendors IDs (legitimate interest; List of purpose IDs separated by _)
    8. Part: Compressed Custom IDs Format (see Compressed Custom IDs Format)

  3. Decode each part depending on each parts data format.

Please note: The consent information, some or all parts may be empty (e.g. if the users presses the skipp link or depending on CMP settings).

Dont forget to store the consent information (websafe base64 encoded version that was sent from the webview to the app). It is needed in step 1 in  when querying the consentmanager server.

Back to top