Cross-Domain Consent
Cross-domain consent sharing lets visitors carry their consent preferences across different top-level domains (e.g. brand.com and brand.de) without requiring them to consent again.
This feature requires a Pro plan or higher. Subdomain consent sharing (e.g. blog.brand.com → shop.brand.com) is available on all plans and works automatically via cookie scoping — see Subdomain Handling.
How it works
Browsers enforce the Same-Origin Policy, so cookies set on brand.com cannot be read by brand.de. CookieBoss solves this with server-side consent records and automatic link decoration:
- Visitor consents on
brand.com→ consent is POSTed to the sync API → a one-timeconsent_tokenis returned - Links to group domains (e.g.
brand.de) are automatically decorated with?_cb=TOKEN - On page load of
brand.de→ the script detects the_cbparameter → fetches consent from the sync API → applies it locally → cleans the URL
This approach is privacy-first: no third-party cookies, no iframes, no fingerprinting. It works in all browsers including Safari with ITP.
Setting up a consent group
1. Create a consent group
In your CookieBoss dashboard, go to Consent Groups and click New Group. Give the group a descriptive name, e.g. “Brand Europe”.
2. Add sites to the group
Open the consent group and click Add Sites. Select the domains you want to share consent between. You need at least two sites in a group for cross-domain sync to activate.
3. Publish all sites
After adding sites to a group, re-publish each site so the compiler injects the cross-domain config into the consent script. The compiled script will include:
consentGroupId— identifies the consent groupconsentGroupDomains— list of all domains in the groupconsentSyncEndpoint— the API endpoint for consent token storage
How link decoration works
When a visitor makes a consent choice, CookieBoss:
- POSTs the consent state to
api.cookieboss.io/api/v1/consent-sync - Receives a cryptographically random
consent_token(32 bytes, base64url) - Stores the token in
localStorageunder keycookieboss_ct - Finds all
<a>links on the page that point to other group domains - Appends
?_cb=TOKENto each link
A MutationObserver watches for dynamically added links (SPA support).
How token retrieval works
When a page loads on a group domain with a _cb URL parameter:
- The token is extracted from the URL
- The URL is immediately cleaned (the
_cbparam is removed viahistory.replaceState) - The consent state is fetched from
api.cookieboss.io/api/v1/consent-sync/:token - Consent is applied locally (cookie + localStorage)
- The consent banner is skipped; only the floating trigger button is shown
Token lifecycle
- Tokens are valid for 5 years (matching the consent cookie expiry)
- If a visitor updates their consent preferences, the existing token is updated (PUT)
- Expired tokens are automatically cleaned up by a server-side cron job
API endpoints
The consent sync API is public (no authentication required) with CORS origin: *:
| Method | Endpoint | Description |
|---|---|---|
POST | /api/v1/consent-sync | Store consent → returns { token } |
GET | /api/v1/consent-sync/:token | Retrieve consent for token |
PUT | /api/v1/consent-sync/:token | Update consent for token |
POST body
{
"groupId": "01HXYZ...",
"categories": {
"necessary": true,
"analytics": true,
"marketing": false,
"functional": true
}
}GET response
{
"categories": {
"necessary": true,
"analytics": true,
"marketing": false,
"functional": true
},
"consentedAt": "2026-03-05T10:30:00.000Z"
}Privacy considerations
- No third-party cookies or iframes are used
- Consent tokens are random, non-identifiable, and cannot be correlated back to a user
- URL parameters are cleaned immediately after processing
- The sync endpoint does not log IP addresses or user agents
- Tokens expire and are automatically purged