Developer Platform

Privacy compliance
as an API.

80+ REST endpoints, TypeScript SDK, webhook engine with HMAC signing, and idempotent mutations. Everything you need to embed compliance into your product.

Explore Webhooks Integration Hub

API at a glance

80+
REST endpoints
Fully typed, versioned, and documented
25+
Webhook events
Real-time with HMAC-SHA256 signing
13
Modules
Consent, DSAR, erasure, risk, and more
<10ms
Consent check p99
3-tier cache: LRU, Redis, PostgreSQL

Built for developers

Clean, predictable API patterns. Every endpoint returns typed responses with compliance receipts.

Record consent

POST /v1/consents 
POST /v1/consents
Authorization: Bearer <jwt>
Idempotency-Key: ik_a1b2c3d4

{
  "dataPrincipalId": "dp_8a3fc7d2",
  "purpose": "marketing",
  "lawfulBasis": "dpdpa_s6_consent",
  "regulation": "DPDPA",
  "collectedVia": "sdk"
}

// Response 201
{
  "data": { "id": "uuid", "status": "active" },
  "receipt": {
    "receiptId": "CR-2026-09-15-000847",
    "eventHash": "sha256:a7b3c9...f2e1",
    "chainPosition": 847
  }
}

Check consent (hot path)

POST /v1/consents/check 
POST /v1/consents/check
X-API-Key: vk_live_...

{
  "dataPrincipalId": "dp_8a3fc7d2",
  "purpose": "marketing"
}

// Response 200 — p99 < 10ms
{
  "hasConsent": true,
  "consentId": "uuid",
  "lawfulBasis": "dpdpa_s6_consent",
  "regulation": "DPDPA",
  "expiresAt": "2027-09-15T00:00:00Z",
  "checkedAt": "2026-09-15T14:32:17Z"
}

TypeScript SDK

sdk-example.ts 
import { VaultConsent } from '@vaultconsent/sdk';

const vc = new FOCTTA({
  apiKey: 'vk_live_...',
  region: 'ap-south-1',
});

// Record consent with type safety
const { data, receipt } = await vc.consents.create({
  dataPrincipalId: 'dp_8a3fc7d2',
  purpose: 'marketing',
  lawfulBasis: 'dpdpa_s6_consent',
  regulation: 'DPDPA',
});

// Check consent — cached, <10ms
const check = await vc.consents.check(
  'dp_8a3fc7d2', 'marketing'
);

Webhook verification

webhooks.ts 
import { verifyWebhook } from '@vaultconsent/sdk';

app.post('/webhooks/vaultconsent', (req, res) => {
  const isValid = verifyWebhook({
    signature: req.headers['x-vaultconsent-signature'],
    timestamp: req.headers['x-vaultconsent-timestamp'],
    body: req.rawBody,
    secret: process.env.WEBHOOK_SECRET,
  });

  if (!isValid) return res.status(401).send();

  const event = req.body;
  switch (event.type) {
    case 'consent.withdrawn':
      // Propagate withdrawal to your systems
      break;
    case 'grievance.sla_warning':
      // Alert your team
      break;
  }
});

API design principles

Versioned & Stable

All endpoints under /v1/. Breaking changes only in major versions. Minimum 12-month deprecation notice.

Compliance Receipts

Every mutation returns a cryptographic receipt with event hash, chain position, and timestamp. Legal evidence artifact.

Idempotent Mutations

Every POST/PUT/PATCH accepts an Idempotency-Key header. Safe to retry without side effects. 24-hour deduplication window.

RFC 7807 Errors

Standardised error format: type, title, status, detail, instance. Machine-parseable with human-readable descriptions.

Pagination & Filtering

Cursor or offset pagination on all list endpoints. Filter by status, date range, regulation, and full-text search.

Rate Limited

Per-tenant quotas with Redis backing. 10,000 req/min for reads, 1,000 for mutations. 429 responses include Retry-After.

25+ webhook event types

Subscribe to specific events or use wildcard for everything.

Consent
consent.granted
consent.withdrawn
consent.expired
consent.renewed
DSAR
grievance.created
grievance.sla_warning
grievance.sla_breach
grievance.resolved
Erasure
erasure.started
erasure.completed
erasure.partial
erasure.system_confirmed
Compliance
compliance.score_change
notice.published
risk.critical
Assessment
assessment.approved
assessment.review_due
assessment.rejected
Integration
integration.connected
integration.failed
cookie.unknown_detected
API

Ready to integrate?

Get API access, explore the documentation, and start building privacy-compliant products.

Get API Access View All Features