Sharing Consent Between Multiple Sites

There are two options for sharing consent across multiple domains that you or your company owns or manages.

  • You can share consent via an iframe by hosting our provided HTML code at a specific URL, which you pass to InMobi CMP through a configuration option.


    This contains updated sample implementation to support TCF v2 and the Google addtl_consent cookie.

  • You can also build your own custom Consent API, which requires significant development work and support.


ITP browsers (Safari, Firefox) and any other third-party-cookie-blocking may prevent the fetch to the cookie from working, therefore disallowing the Group Consents Via Iframe to function. However, developers can use our Group Consents Via Custom Consent API guidelines below to build out support for Safari and Firefox.

Group Consents via iframe

There are 3 steps to sharing consent across domains via an iframe.

  • The configuration option "Consent Scope" must be set to "service group".
  • The iframe HTML we provide below must be hosted on a URL determined by the site owner domain.
  • The URL where the HTML is hosted must be passed to InMobi CMP via the configuration option under the option "CONSENT SCOPE GROUP URL" in the CMP Portal. 

The iframe HTML


For publishers whose consent scope is group level,

host this html at the group level cookie access url.




  <script type="text/javascript">

    function getCookie(name) {

      var cookies = document.cookie


        .filter(function(s) {

          var cookie = s.trim();

          if (cookie.indexOf(name + '=') === 0) {

            return true;



        .map(function(s) {

          return s.trim().substring(name.length + 1);


      return cookies;


    var msgIsString = true;

    function iframeCookieAccessMsgHandler(event) {

      var msg =;

      msgIsString = typeof msg === "string";

      var json;

      if (msgIsString) {

        json ="__qcCmpCookieAccessCall") !== -1 ? JSON.parse( : {};

      } else {

        json =;


      if (json.__qcCmpCookieAccessCall) {

        var obj = json.__qcCmpCookieAccessCall;

        var cookieNames = ['euconsent-v2', 'addtl_consent'];

        var localNames = ['_cmpRepromptHash', 'noniabvendorconsent'];

        if (cookieNames.indexOf(obj.cookieName) === -1 && localNames.indexOf(obj.cookieName) === -1) {



        var returnObj = {

          "callId": json.callId,

          "__qcCmpCookieAccessReturn": {

            "cmd": obj.cmd



        if (obj.cmd === "set") {

          if (cookieNames.indexOf(obj.cookieName) !== -1) {

            document.cookie =

              obj.cookieName +

              '=' +

              obj.cookieValue +

              ';path=' +

              obj.cookiePath +

              ';expires=' +

              obj.expires +

              ';domain=' + window.location.hostname +


          } else {

            localStorage.setItem(obj.cookieName, obj.cookieValue);


          returnObj.__qcCmpCookieAccessReturn.isSuccess = true;

        } else if (obj.cmd === "get") {

          var consentCookies = null;

          var infoObj = null;

          if (cookieNames.indexOf(obj.cookieName) !== -1) {

            consentCookies = getCookie(obj.cookieName);

            infoObj = returnObj.__qcCmpCookieAccessReturn;

            if (consentCookies.length !== 0) {

              infoObj.cookies = consentCookies;

              infoObj.isSuccess = true;

            } else {

              infoObj.isSuccess = false;


          } else {

            consentCookies = localStorage.getItem(obj.cookieName);

            infoObj = returnObj.__qcCmpCookieAccessReturn;

            if (consentCookies) {

              infoObj.cookies = consentCookies;

              infoObj.isSuccess = true;

            } else {

              infoObj.isSuccess = false;




        event.source.postMessage(msgIsString ?

          JSON.stringify(returnObj) : returnObj, "*");



    if (window.addEventListener) {

      window.addEventListener('message', iframeCookieAccessMsgHandler, false);

    } else {

      window.attachEvent('onmessage', iframeCookieAccessMsgHandler);


    // post a message to CMP that the event handler is loaded.

    var registeredMessage = { "__qcCmpCookieAccessReturn": { "isHandlerRegistered": true } };

    window.parent.postMessage(msgIsString ? JSON.stringify(registeredMessage) :

      registeredMessage, "*");






Group Consents Via Custom Consent API

Configuring the CMP to use group-level consents requires building a JSON API that handles GET and POST requests to retrieve and store the consent values. Additionally, the API should properly respond to OPTIONS requests.

The API requires appropriate CORS headers for all GET, POST, and OPTIONS requests from an allowed origin (domains in your group). Make sure the following headers are included on responses, replacing values in [] as needed:

access-control-allow-credentials: true

access-control-allow-headers: true

access-control-allow-methods: get, post

access-control-allow-origin: http[s]://[your group domain]

Cookies to be Handled by Group API

The CMP expects that the JSON API is able to both receive and provide responses for the following cookies:

Cookie Name Purpose
euconsent-v2 TCF Vendor Consent String 
addtl_consent Google Additional Vendor Consent string (if applicable)
noniabvendorconsent Non-IAB vendor list created within Choice (if applicable)
_cmpRepromptHash Hash that controls reprompt operations of the CMP

Responding to GET requests

When the API receives a GET request, it should respond by retrieving the cookie(s) from the HTTP request header. Note that cookie headers may include more than one cookie.

The consent cookie is in the format: [cookie name]=[cookie value]

Where [cookie value] denotes the specific value provided by the CMP for the cookie. The API should then send a JSON response in the format:

{ “[cookie1 name]”: "[cookie1 value]",
  “[cookie2 name]”: "[cookie2 value]", .... }


The service group scheme requires the API to parse and return both euconsent-v2 and addtl_consentcookies.

Responding to POST requests

When the API receives a POST request, it should respond by setting the cookie(s) sent in the JSON request's body. The API should expect the JSON be in the format:

{ “[cookie1 name]”: "[cookie1 value]", 
  “[cookie2 name]”: "[cookie2 value]", .... }

Where [cookie value] denotes the encoded string provided by the CMP for the specific cookies.

The API should emit the following HTTP response headers in order to set the cookie, replacing values in [] as needed:

set-cookie: [cookie name]=[cookie value]; max-age=15552000; domain=.[your group domain]; path=/


The CMP will execute a POST call for each cookie for which it sets a value, and it expects the Group API to provide a cumulative response for all the cookies that have been set, both in the POST request and the GET request.

Sample JSON Response



  "_cmpRepromptHash": "CO43p9wO43p9wAKALCENA1CsAP_AAH_AAAwIGatd_X9fb2vj-_5999t0eY1f9_63v-wzjgeNs-8NyZ_X_L4Xr2MyvB36pq4KmR4Eu3LBAQFlHOHcTQmQwIkVqTLsbk2Mq7NKJ7LEilMbM2dYGG9Pn8XTuZCY70_sf__z_3-_-___67bgZeQSYal8BAkJYwEk2aVQogQhXEhUA4AKKEYWjSw0JHBTsrgI9QQIAEBqAjAiBBiCjFkEAAAAASURACQDAgEQBEAgABACtAQgAIkAQWAEgYBAAKAaFgBFEEoEhBkcFRyiBAVItFBPNGAA.YAAAAAAAAAAA.1.KTvSi1ifP7BGbdpiCttXPA==",

  "addtl_consent": "1~",

  "noniabvendorconsent": "O5HcfyO5HcfyAKAaAALA"


Sample Code for Developers

InMobi has provided a sample code here to illustrate an implementation of Group Consents Via Custom Consent API. InMobi will not be providing support on this sample code and is not responsible for any consequences of your implementation of this sample code.

Displaying IDFA Popup

The CMP provides an option to seamlessly integrate the new native IDFA permission popup (ATTrackingManager), provided the user has been granted permission for the CMP purposes. Presenting the popup right after the CMP offers users more context about the request, potentially leading to higher acceptance rates.

The popup will be triggered if GDPR applies and consent has been obtained or if GDPR explicitly states not to apply.

If your app and associated vendors will never utilize the IDFA, or if you intend to display this popup at a different time, set this option to false.

However, if you set this option to true, provide a usage description in your Info.plist. To do this, add a new key named NSUserTrackingUsageDescription and furnish it with a concise yet comprehensive description of how the IDFA will be utilized. For instance, "We use this value to help serve you relevant advertising".

On This Page

Last Updated on: 13 Feb, 2024