Consent Certificates
Every time a consumer submits a form on your tracked website, eConsent generates a consent certificate, a tamper-proof record that serves as verifiable evidence of consent for TCPA compliance and dispute resolution.
What is in a certificate
Section titled “What is in a certificate”Each certificate contains:
| Field | Description |
|---|---|
| Certificate ID | Unique identifier in the format EC-{session_id}-{base64(sha256_hash)} |
| Session ID | Links to the full session recording |
| Company ID | The company that owns the property |
| Property ID | The property (website) where consent was captured |
| Consent records | All captured consent language, types, values, and categories |
| Timestamp | UTC time of the consent event |
| Consumer metadata | IP address, user agent, browser language, geo-location |
| Origin | The URL/domain where consent was captured |
| Recording path | Path to the session recording file |
| Recording hash | SHA-256 hash of the session recording for integrity verification |
| Signature | HMAC-SHA256 cryptographic signature |
Certificate generation process
Section titled “Certificate generation process”Certificates are generated automatically when a form submission event is detected. The process works as follows:
- Consent extraction. The tracker collects all tagged consent elements (both implied and explicit) that are visible on the page.
- Deduplication. Duplicate consent records are removed by ID, keeping the most complete version of each.
- Normalization. Consent text is trimmed and truncated to 4,900 characters for UTF-8 safety. Types are lowercased.
- Fingerprinting. A consent fingerprint is built from all consent records:
"id1:type1:value1,id2:type2:value2,...". - Payload construction. A payload string is assembled:
"{session_id}:{company_id}:{property_id}:{timestamp}:{fingerprint}:{domain}". - Hashing. A SHA-256 hash is generated from the payload with added entropy.
- Signing. The certificate is signed with HMAC-SHA256 using a server-side secret key.
The resulting certificate ID follows this format:
EC-{session_id}-{base64(sha256_hash)}Certificate Generation Explained
See how eConsent captures consent, generates the cryptographic hash, and signs the certificate in real time.
~2 minViewing certificates
Section titled “Viewing certificates”Dashboard
Section titled “Dashboard”Navigate to Certificates in your eConsent dashboard at app.econsent.org to browse, search, and filter all generated certificates.
Public URL
Section titled “Public URL”Each certificate has a shareable public URL:
https://app.econsent.org/certificate/{certificateId}This displays the certificate in a professional, PDF-style layout with:
- Company and property information
- All consent evidence grouped by type
- Session metadata and timestamps
- QR code linking to the session replay
- Certificate expiration status
PDF download
Section titled “PDF download”Certificates can be downloaded as PDF documents for offline storage, legal proceedings, or compliance audits.
Certificate expiration
Section titled “Certificate expiration”Certificate retention is configurable per property in your account settings:
| Duration | Use case |
|---|---|
| 7 days | Testing and development |
| 30 days | Short-term campaigns |
| 60 days | Standard campaigns |
| 1 year | Extended compliance |
| 3 years | Long-term retention |
| 5 years | Maximum retention for litigation protection |
Hidden form field
Section titled “Hidden form field”When a certificate is generated, the certificate ID is automatically injected into the hidden form field on your page:
<input type="hidden" id="econsent_hidden" name="econsent_hidden" value="">This field is populated with the certificate ID, allowing you to associate the certificate with the lead in your CRM or lead management system.
You can also access these values via JavaScript:
// Session IDwindow.econsentState.session_id
// Certificate IDwindow.econsentState.certificateOr via cookies: econsent_session and econsent_certificate.
Accessing via API
Section titled “Accessing via API”Certificates can be verified programmatically through the Verification API:
curl -X POST https://api.econsent.org/api/verify/match \ -H "Content-Type: application/json" \ -d '{ "certificate_id": "EC-session123-base64hash", "company_id": "your-company-id", "property_id": "your-property-id", "consent": "By submitting this form, you consent to receive marketing communications." }'The API returns:
- Certificate validity (
valid: true/false) - Consent opt-in timestamp
- Origin URL
- Consent types captured
- Verification type (first-party or third-party)
Certificate data structure
Section titled “Certificate data structure”Each consent record within a certificate contains:
| Field | Description |
|---|---|
id | Unique identifier for the consent element |
text | Full consent language or label text |
type | Consent type (main-implied, main-explicit, secondary-implied, secondary-explicit) |
value | Input value for explicit consent, or visibility state for implied |
category | EXPLICIT or IMPLIED |
Next steps
Section titled “Next steps”- Session Replay. View the full session recording linked to each certificate
- Verification API. Verify certificates programmatically
- Revocation & Opt-Out. How consumers can revoke consent
- Retention Management. Configure retention quotas and auto-retention