Cookie Consent & GDPR
Sesamy JS supports GDPR-compliant cookie consent management. When enabled, persistent tracking identifiers are not written until the user consents.
How It Works
Without consent enabled, Sesamy JS works exactly as before. When consent is enabled:
- Before consent — Analytics events are still sent, but with a session-scoped anonymous ID (not persisted across sessions). No data is written to
localStoragefor tracking purposes. - On consent granted — The full analytics library initializes, a persistent anonymous ID is created, and all buffered events are replayed with the persistent ID.
- On consent denied — No persistent tracking identifiers are ever written.
Storage Classification
| Category | Storage Keys | Consent Required |
|---|---|---|
| Essential | sesamy_is_authenticated (cookie), auth tokens, feature flags | No |
| Statistics | __anon_id (anonymous ID), sesamy_session_id, UTM attribution | Yes |
| Marketing | Reading _ga, _gid, _fbp, _fbc for checkout attribution | Yes |
Configuration
Add the consent field to your Sesamy JS configuration:
Auto-detect CMP
If you use Cookiebot, OneTrust, or Google Consent Mode, Sesamy JS can auto-detect them:
{
"clientId": "your-client-id",
"vendorId": "your-vendor-id",
"consent": {
"enabled": true
}
}Explicit CMP
Specify which CMP you use:
{
"clientId": "your-client-id",
"vendorId": "your-vendor-id",
"consent": {
"enabled": true,
"cmp": "cookiebot"
}
}{
"clientId": "your-client-id",
"vendorId": "your-vendor-id",
"consent": {
"enabled": true,
"cmp": "onetrust"
}
}{
"clientId": "your-client-id",
"vendorId": "your-vendor-id",
"consent": {
"enabled": true,
"cmp": "google-consent-mode"
}
}Custom CMP
For other consent management platforms, use the onConsentChange callback:
sesamy.init({
clientId: 'your-client-id',
vendorId: 'your-vendor-id',
consent: {
enabled: true,
onConsentChange: (updateConsent) => {
// Wire up your CMP's events
myCMP.onAccept(() => {
updateConsent({ statistics: true, marketing: true });
});
myCMP.onDecline(() => {
updateConsent({ statistics: false, marketing: false });
});
}
}
});Default Consent
By default, both statistics and marketing are false until the CMP signals otherwise. You can change this:
{
"consent": {
"enabled": true,
"defaultConsent": {
"statistics": true
}
}
}Programmatic API
The consent state is available on the Sesamy API object:
// Check current consent
const state = sesamy.consent.get();
// { statistics: false, marketing: false }
// Check a specific category
sesamy.consent.has('statistics'); // false
// Set consent programmatically (e.g., from your own consent UI)
sesamy.consent.set({ statistics: true, marketing: true });Events
Listen for consent changes:
window.addEventListener('sesamyJsConsentChanged', (event) => {
console.log('Consent updated:', event.detail);
// { statistics: true, marketing: false }
});Supported CMPs
| CMP | Config Value | Auto-detected |
|---|---|---|
| Cookiebot | "cookiebot" | Yes |
| OneTrust | "onetrust" | Yes |
| Google Consent Mode v2 | "google-consent-mode" | Yes |
| Custom | Use onConsentChange | N/A |
Cookie & Storage Declaration
Publishers using a CMP must declare which cookies and storage entries their site uses. Below is the complete inventory of what Sesamy sets, so you can configure your CMP accurately.
Important
Most CMPs (including Cookiebot) block undeclared cookies by default — even functional ones. You must declare Sesamy's necessary cookies in your CMP so they are not blocked.
Server-set Cookies (BFF Authentication)
These cookies are set by the Sesamy API proxy when using cookie-based (BFF) authentication. They are all strictly necessary for authentication and do not require consent.
| Cookie | HttpOnly | Secure | Duration | Purpose |
|---|---|---|---|---|
at | Yes | Yes | 1 hour | Encrypted access token |
__Host-rt | Yes | Yes | 30 days | Encrypted refresh token |
sesamy_is_authenticated | No | Yes | 30 days | Auth session hint (lets sesamy-js know if user is logged in) |
sesamy_vid | No | Yes | 30 days | Vendor configuration hint |
__Host-auth-state | Yes | Yes | 10 min | Temporary OAuth PKCE flow state |
CMP category: Necessary (no consent required, but must be declared)
Client-side Storage (sesamy-js)
Necessary (no consent required)
| Key | Storage | Purpose |
|---|---|---|
sesamyFlags | localStorage | Feature flags |
sesamyCacheTimestamp | sessionStorage | API cache timing |
sesamySignedURLs | sessionStorage | Signed entitlement URLs |
sesamyContentReloaded | sessionStorage | Login reload flag |
sesamy_incognito_mode | sessionStorage | Browser capability detection |
Statistics (consent required)
These are only written after the user grants statistics consent. Before consent, data is buffered in memory.
| Key | Storage | Purpose |
|---|---|---|
__anon_id | localStorage | Persistent anonymous user ID |
sesamyAttribution | localStorage | UTM attribution data |
utm_source, utm_medium, utm_campaign, utm_term, utm_content | localStorage | Campaign tracking parameters |
utm_referrer | localStorage | Page referrer |
sesamy_session_id | sessionStorage | Analytics session ID |
Marketing (consent required)
Sesamy JS does not set these cookies — it only reads them (if present) to pass attribution data to the checkout flow. They are set by Google Analytics and Facebook Pixel.
| Key | Storage | Purpose |
|---|---|---|
_ga, _gid | Cookie (read-only) | Google Analytics identifiers |
_fbp, _fbc | Cookie (read-only) | Facebook Pixel identifiers |
Auth0 Plugin (Legacy)
If you use the Auth0 authentication plugin instead of the default BFF pattern, the following additional storage entries are used:
| Key | Storage | Category | Purpose |
|---|---|---|---|
sesamyAccessToken | localStorage | Necessary | Access token |
sesamyRefreshToken | localStorage | Necessary | Refresh token |
auth0.is.authenticated | Cookie | Necessary | Auth0 session hint |
@@auth0spajs@@* | localStorage | Necessary | Auth0 SDK token cache |
sesamySilentAuthThrottle | sessionStorage | Necessary | Silent auth throttle |
sesamySilentRedirectState | sessionStorage | Necessary | Silent redirect state |
These are all strictly necessary for authentication. However, some strict CMP configurations may flag localStorage token storage — declare them as "Necessary" in your CMP.
Cookiebot Declaration
When using Cookiebot, ensure all Sesamy cookies are declared in your Cookiebot admin panel:
- Run a Cookiebot scan on your site — most server-set cookies (
at,__Host-rt,sesamy_is_authenticated) will be auto-detected - Manually declare any localStorage/sessionStorage keys that Cookiebot's scanner doesn't detect
- Categorize cookies as follows:
at,__Host-rt,sesamy_is_authenticated,sesamy_vid,auth-state→ Necessary__anon_id,sesamyAttribution,utm_*,sesamy_session_id→ Statistics_ga,_gid,_fbp,_fbc→ Marketing (these are set by Google/Facebook, not Sesamy)
TIP
Sesamy JS handles the statistics/marketing gating automatically when consent.enabled is true. You only need to ensure your CMP correctly categorizes the cookies — Sesamy will respect the consent signals from your CMP.
Backward Compatibility
When no consent configuration is provided, Sesamy JS behaves exactly as before — all storage is written immediately without consent gating. The consent feature is entirely opt-in.