SDK HTTP API
GET config and POST consent for publishable keys.
SDK HTTP API
Used by @erasurehq/anumati. Auth: publishable key.
Source: app_docs/sdk/API.md, app_docs/api.md, app_docs/guide/api.md.
Auth
Authorization: Bearer pk_live_…Compatibility only (not recommended): ?key=pk_live_… may be accepted by the server. Do not use in examples. The SDK package does not send query keys.
GET /api/sdk/v1/config
Loads the published consent snapshot for the project bound to the key.
Caching: ETag from content hash; Cache-Control: public, max-age=60, stale-while-revalidate=600; If-None-Match → 304.
200 (shape from product SDK API docs):
{
"projectId": "…",
"version": {
"id": "…",
"number": 3,
"publishedAt": "ISO-8601",
"contentHash": "…",
"consentHash": "…"
},
"config": {
"purposes": [
{
"id": "…",
"key": "analytics",
"name": "…",
"description": "…",
"required": false,
"categoryId": "…",
"sortOrder": 0
}
],
"categories": [{ "id": "…", "name": "Essential", "sortOrder": 0 }],
"notice": {
"title": "…",
"description": "…",
"acceptLabel": "…",
"rejectLabel": "…",
"manageLabel": "…",
"companyName": "…",
"logoUrl": "…",
"primaryColor": "…"
}
}
}| code | HTTP |
|---|---|
invalid_key | 401 |
revoked_key | 403 |
no_published_version | 404 |
rate_limited | 429 |
Draft configuration is never returned.
POST /api/sdk/v1/consent
Append-only consent receipt (collection only — no list/search UI on this public surface).
Body:
{
"versionId": "…",
"consentHash": "…",
"choices": {
"analytics": true,
"marketing": false
},
"timestamp": "2026-01-01T00:00:00.000Z",
"sdkVersion": "0.1.0"
}Server behaviour (documented):
- Validate key → project
- Validate body (Zod)
- Version must belong to the project
consentHashmust match the version’s computed consent surface- Insert append-only
ConsentReceipt; never update/delete
timestamp is accepted but not stored (server createdAt is authoritative).
Do not send IP, email, fingerprint, or session identifiers.
201: { "ok": true, "id": "…", "createdAt": "…" }
| code | HTTP |
|---|---|
invalid_key | 401 |
revoked_key | 403 |
invalid_body | 400 |
invalid_version | 400 |
consent_hash_mismatch | 400 |
Publishable key management (operator session)
| Method | Path |
|---|---|
POST | /api/platform/projects/:projectId/api-keys |
GET | /api/platform/projects/:projectId/api-keys |
DELETE | /api/platform/projects/:projectId/api-keys/:keyId |
Full secret shown once on create; thereafter prefix only. Soft revoke via revokedAt (no hard delete).
Versioning policy (SDK / HTTP)
| Axis | Policy |
|---|---|
| Package semver | npm @erasurehq/anumati |
| HTTP | /api/sdk/v1 — breaking changes → /v2 |
| Configuration | Operator versionNumber 1, 2, 3… |
| Consent surface | consentHash — independent of cosmetic publishes |
Additive JSON fields are non-breaking; SDK ignores unknown keys.