Consent
Record cookie and marketing consent for GDPR compliance audit trails
The consent endpoint records cookie banner interactions to a compliance audit log. It is designed to be called from client-side consent banners — no authentication is required, and errors are swallowed so a network failure never blocks the user experience.
This endpoint is public — no API key or session cookie is required.
Record consent
POST /api/consent
Content-Type: application/json
Request body
| Field | Type | Required | Description |
|---|---|---|---|
action | accept_all | decline_all | save_preferences | Yes | The user's consent action |
analytics | boolean | No | Whether the user accepted analytics cookies |
marketing | boolean | No | Whether the user accepted marketing cookies |
Response
{ "ok": true }The response is always { "ok": true } — errors are swallowed server-side to ensure the consent banner never blocks the user. If the audit log write fails, the event is silently dropped.
What gets recorded
Each call to this endpoint creates a row in the compliance_audit_log table with the following fields:
| Field | Value |
|---|---|
event_type | consent_granted if any category is enabled; consent_revoked if decline_all or all categories are false |
event_method | banner for accept_all / decline_all; preference-center for save_preferences |
ip_address | Anonymised (hashed + truncated) for GDPR compliance |
user_agent | Stored for audit context |
metadata | { analytics, marketing, action } |
IP addresses are hashed before storage — MisarMail never stores raw IPs in the audit log, satisfying GDPR Article 25 (data minimisation) while still maintaining Article 7 audit trail requirements.
GDPR audit trail
Under GDPR Article 7(1), controllers must be able to demonstrate that consent was given. The compliance_audit_log table provides an immutable record of every consent interaction, including:
- When consent was given or withdrawn
- Which categories were accepted
- The mechanism used (banner vs preference center)
- Anonymised IP + user agent for context
This log is accessible via the Audit Log settings endpoint.
Banner integration example
Call this endpoint when your consent banner resolves. You do not need to wait for the response.
# Accept all cookies
curl -X POST https://api.misar.io/mail/api/consent \
-H "Content-Type: application/json" \
-d '{ "action": "accept_all", "analytics": true, "marketing": true }'
# Decline all
curl -X POST https://api.misar.io/mail/api/consent \
-H "Content-Type: application/json" \
-d '{ "action": "decline_all", "analytics": false, "marketing": false }'// Fire-and-forget — never await to avoid blocking the UI
function recordConsent(
action: 'accept_all' | 'decline_all' | 'save_preferences',
categories: { analytics?: boolean; marketing?: boolean }
) {
fetch('/api/consent', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ action, ...categories }),
}).catch(() => {
// Silently ignore — consent recording must never fail visibly
});
}
// Usage
recordConsent('accept_all', { analytics: true, marketing: true });
recordConsent('save_preferences', { analytics: true, marketing: false });Notes
- MisarMail's own marketing website uses this endpoint internally for its cookie banner
- If you embed MisarMail tracking pixels or analytics on your own site, call this endpoint when your users interact with your consent banner so MisarMail's tracking respects their choice
- Consent records are retained for 3 years in compliance with typical GDPR audit retention requirements