API-Layer GPC Decisions

If a regulator asked what happened to a GPC signal last Tuesday, could your team show it?

GPCGuard validates GPC signals at the API layer, records structured decision evidence for each request, and fails closed when validation cannot complete.

CategoryNot a CMP replacement. The evidence layer for GPC signal handling.

See a decision recordStart freeDecision model →

4 States

GPC jurisdiction contexts

Per-signal

Structured decision records

Fail-closed

Default endpoint posture

Decision Records

Structured evidence for every GPC signal.

Each processed request creates a tenant-scoped decision record — the auditable receipt for every GPC signal. Drill into any row to inspect the signal source, decision outcome, policy flags, and compliance standard, exactly as operators see them in the dashboard.

GPCGuard provides the decision record. To complete enforcement, wire HONORED outcomes to your tag manager, CDP, and ad partners to suppress downstream data flows.

HONOREDSignal validated — policy applied, decision recorded. Wire to your data stack to suppress downstream flows.
DENIEDValidation failed — fail-closed. Decision still recorded. Investigate configuration.
signal_idsignal_sourcedecision_outcomegpc_enabledpolicycompliance_standard

↓ Click any row to inspect the full decision record — field-by-field. Sample data, clearly labeled.

Signal IDSignal
Example records

↑ Sample records · same structure as your live dashboard

Architecture

Four steps. One clear decision path.

Every signal request sent to your GPCGuard endpoint passes through a deterministic guard chain, producing structured decision outcomes with explicit HONORED / DENIED states.

01 / 04

Detect

The generated embed or SDK sends a request to your GPCGuard endpoint, where the incoming signal is evaluated for that site.

02 / 04

Validate

Fail-closed guards verify site configuration, origin, active status, DPA acceptance, and circuit state before the request can continue.

03 / 04

Decide

The endpoint returns a structured policy decision — HONORED when the signal is valid and policy is applied, DENIED when a compliance-critical guard fails. Wire the HONORED outcome to your tag manager, CDP, and ad partners to suppress downstream data flows.

04 / 04

Record

Processed signal requests create structured decision records that operators can review in logs and dashboard evidence views.

Comparison

The enforcement layer below your CMP.

Major CMPs now detect Sec-GPC and suppress consent banners. That is a good start. What they do not provide is a per-signal, auditable decision record that proves to a regulator exactly which GPC signal was received, what policy was applied, and what the outcome was — down to the millisecond. GPCGuard is the enforcement and evidence API that runs below your CMP, not a replacement for it.

How this fits with your CMP

CMP

Handles banners, preference collection, and opt-in flows at the UI layer.

GPCGuard

Validates GPC signals and records structured evidence at the API layer.

Together

Use both when you need proof of what happened to each GPC request.

Consent Management Platform (CMP)

Banner-layer · preference collection · GPC banner suppression

  • Detects and suppresses banners for GPC users — visible confirmation is now required by California law in 2026.
  • Preference records live in the CMP layer; per-signal guard chain traces and structured decision records for audit are not its job.
  • Cannot produce a per-signal evidence record showing exactly which request triggered which policy decision, with what outcome, at what timestamp.
  • Does not gate downstream API calls, CDPs, or ad-partner payloads — enforcement across the data stack requires wiring at the API layer.

GPCGuard

API-layer · per-signal enforcement · auditable decision records

  • Validates every GPC signal against domain, origin, DPA acceptance, and circuit posture before recording any policy decision.
  • Issues HONORED or DENIED outcomes with a structured per-signal record: the auditable receipt your legal team can produce to a regulator.
  • Sits below your CMP — not a replacement. Wire HONORED decisions to your tag manager, CDP, and ad partners to suppress downstream data flows.
  • Fail-closed by default: unknown origins and ambiguous signals resolve to DENIED — never silently passed through.
gpcguard · embed
<!-- GPCGuard embed — generated per site after DPA acceptance -->
<script
  src="https://<project-ref>.supabase.co/storage/v1/object/public/public/gpc-sdk.js"
  data-endpoint="https://<project-ref>.supabase.co/functions/v1/gpc-signal"
  data-domain="<your-domain>"
  data-show-notification="true"
  async>
</script>
Paste after the opening <body> tag on your target domain

Integration

One generated snippet. Installed in minutes.

GPCGuard onboarding mirrors the actual product surface: create a site, accept the DPA, retrieve the generated snippet, then verify endpoint decisions in the analytics and evidence views. Most installs take under fifteen minutes end-to-end.

01

Create a site, accept the DPA

The embed snippet is generated by the dashboard only after the Data Processing Agreement is accepted for the site.

02

Install the generated snippet

Copy the snippet from the site detail page and place it on your domain so supported browsers can call your configured GPCGuard endpoint. Your endpoint is tenant-isolated — signal data from your sites is never readable across tenants.

03

Verify signals inside the product

After installation, inspect decision records and analytics from the same operator flow that generated the snippet.

Compliance Coverage

Built for the full US GPC landscape.

As of early 2026, twelve US states require honoring a universal opt-out mechanism. GPCGuard is fully active for four states today — CA, CO, CT, NJ — with the remaining eight on the roadmap. These references describe product scope, not legal guarantees.

ActiveRoadmap

CA

California

CCPA · CPRA

CO

Colorado

CPA

CT

Connecticut

CTDPA

NJ

New Jersey

NJDPA

TX

Texas

TDPSA

Roadmap

VA

Virginia

VCDPA

Roadmap

OR

Oregon

OCPA

Roadmap

MT

Montana

MCDPA

Roadmap

IA

Iowa

ICDPA

Roadmap

DE

Delaware

DPDPA

Roadmap

NH

New Hampshire

NHPDPA

Roadmap

IN

Indiana

IDCPA

Roadmap

Decision model

Public docs explain the ordered guard chain, API-layer boundary diagram, and common response contracts.

Read docs

Security overview

The product publishes its current security posture without claiming certifications the infrastructure does not hold.

Review posture

Architecture commitments

Non-negotiable boundaries — guard-order preservation and JWT + RLS tenant isolation — are documented publicly.

See commitments
Active: CA · CO · CT · NJ — Roadmap: TX · VA · OR · MT · IA · DE · NH · IN — see decision model for full boundaries

Get Started

Your team should be able to show what happened to every GPC signal.

Connect a site, install the embed, and see your first structured decision record — HONORED or DENIED, with a full guard chain trace. Free to start.

See a decision recordStart free →Talk to us →

No credit card required · Free tier includes 3 sites and 10,000 signals/month · Enterprise terms available