• What's a CWT?

    A JWT with standardized consent claims.

    Hmm, that might be too techy for a definition!

    With the arrival of the GDPR, all players of the tech industry (advertisers and publishers, adtech, CRM, identity providers, emailing, etc.) need to collect and share user consents across their technology stack. Consent web tokens allow them to do that in a standardized and secure way. One common language that all can trust!


    A consent web token is a list of consents given by a user (direct marketing, profiling, etc.) signed with a cryptographic key that guarantees its origin and stamped with an expiration date. Anyone who has access to the token can check its validity and know what the user has consented to and until when so they can act accordingly. Because the token is signed, no actor of the chain can alter it and it can be trusted as the fair representation of the user choices.

  • Workflow

    When are CWTs created and used?

    1. Consent collection

    On websites or in mobile applications, an official issuer of CWT tokens collects consents from users through banners, popups, etc.

    2. Token signature

    Once the user has given consent, a JWT token that respects the CWT specification is created and crypt signed with a private key.

    3. Sharing and using the token

    The consent token is shared with vendors that get access to user data. They can verify the validity of the token with the public key of the issuer.

  • Example

    What's the content of a CWT like?

    A JSON representation of a consent web token issued by Didomi, with user consents for profiling and emailing.

  • Frequently asked questions

    Commonly asked tidbits.

    How can I know that a CWT is valid?

    A consent web token is cryptographically signed with a private key that only the issuer know to guarantee that its content cannot be modified by anyone else than its issuer. Companies that receive CWTs can use the public key of the issuer to confirm that the token content is authentic and can be trusted.

    This relies on two industry standards: the JSON web token and asymmetric keys.

    How can I know that the list of consents from the user is real?

    At the end of the day, the content of the CWT (the list of consents of the user) is only as good as its issuer. Didomi maintains a list of issuers and their public keys to make it easy to use consent web tokens but cannot guarantee that the way they collect consent is compliant with the regulation.

    Consent web tokens are about securely sharing consents from trusted sources to downstream consumers of consents.

    Are CWTs free?

    Of course. Consent web token is an open-source specification and reference implementation maintained by DIdomi, a company that offers consent management solutions.

    Our goal is to promote it as an industry standard that is easy to use for everyone and fosters best practices as well as user choice. We welcome contributions to the specification and its implementation.

    Where can I get the full specification?

    The specification is maintained on Github. We welcome external contributions so feel free to open a PR there if you want to contribute!

  • Get in touch

    We welcome external contributions. If you want to get involved, you can contact us here or on Github.